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i. INTRODUCE TO: 


Pos SUMMARY 

The purpose of this thesis is to examine the Department 
of the Navy (DON) accreditation process, in general, and how 
it specifically relates to the shipboard microcomputer 
environment. The goal of the DON Automated Data Processing 
(ADP) security program i1s° accreditation of all DON ADP 
systems and networks, based on a review of the existing ADP 
security posture. The purpose of accreditation is to ensure 
the activity or network is operating at an acceptable level 
Of. tisk. Within the DON, accreditation is defined as a 
policy decision by the responsible Designated Approving 
Authority (DAA). Accreditation results in ae formal 
declaration that appropriate security countermeasures have 
been properly implemented for the ADP activity or network. 

OPNAVINST 5239.1A is the Department of the Navy 
Automated Data Processing Security Program instruction. The 
most significant limitation of OPNAVINST 5239.1A is that it 
lacks a valid method for making cost effectiveness a 
selection criterion for countermeasures. The metric used 
for selecting countermeasures is return on investment (ROI), 
the ratio of annual savings to annual cost of additional 
countermeasures. The annual savings is comprised of the 


difference between the estimated annual loss expectancy 


(ALE) of the ADP system before and after countermeasures are 
installed. The method is questionable because it uses 
Petimatces whieh are difficult to predict accurately. A 
method is needed which provides a systemic approach to 
determining an ADP system's most cost effective 
countermeasures. 

It can be argued that another limitation of OPNAVINST 
5239.1A is that it is oriented toward main frame operations 
and assumes a high level of organizational computer 
expertise. This assumption may not hold true (for 
organizations using mini or microcomputers. Further, this 
assumption complicates the accreditation process because 
such organizations often lack individuals skilled in formal 
ADP administrative procedures. Consequently, simplified 
alternative approaches to the accreditation process should 


be examined and developed. 


B. AN ALTERNATIVE 

Cecula (1985) advocates the use of baseline security 
safeguards in organizations with many Similar ADP 
facilities. He postulates that if multiple risk analyses 
were conducted patterns would become apparent and the 
resulting recommendations would be similar. A central 
assumption of this thesis is that ADP (microcomputer) 
installations in the surface fleet fit this description. If 
a risk analysis were conducted for every ship in the fleet 


implementing a microcomputer system, patterns would become 


apparent and the resulting recommendations would be very 
Similar, indicating that the baseline approach for security 
safeguards may be appropriate. An example of an emerging 
pattern would be that the microcomputer systems aboard 
different ships are being used for a common purpose by the 
same groups of individuals (e.g., the COs, xXOs, and 
Department Heads of these ships), processing similar 
information, and using similar hardware and applications 
programs. 

For instance, the senior watch officers are all 
responsible for maintaining the viability of their 
respective in-port and at sea watch organizations. They can 
use a microcomputer data base application to track 
watchstanders, their qualifications, and rotation dates. 
The operations officers are all responsible for maintaining 
their ships' Unitreps (Unit Reporting System). They can 
also use a data base program to track selected exercises, 
personnel information, information pertinent to the ship's 
schedule, and the status of outstanding material casualties. 


The legal officers are responsible for generating the 


necessary documents for administrative discharge 
proceedings. They may be inputting this information into 
standardized formats using a word processing program. The 


use of standard operating procedures and the author's past 


professional experience indicates that there are no 
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significant differences in who uses these systems, how the 


systems are used, or what the systems uses are. 


C. METHODOLOGY AND ASSUMPTIONS 

This thesis provides a general, standardized model which 
satisfies the initial accreditation requirements as set 
forth in OPNAVINST 5239.1A. The method is developed by 
first discussing and analyzing the DON accreditation 
process. Limitations of the DON model are then addressed 
and alternatives examined. 

The model developed in this thesis is based upon a 
generalization of this shipboard ADP environment and makes 
the following assumptions: 


- the level of data processed is Level I, classified 
information; Level iis unclassified information 
requiring special protection; and Level III, all other 
unclassified data. 


- the security mode of operation is the Dedicated 
Security Mode. An ADP system is operating in the 
dedicated security mode when the Central Computer 
Facility and all of its connected peripheral devices 
and remote terminals are exclusively used = and 
controlled by specific users or group of users having a 
security clearance and need-to-know for the processing 
of a particular category(ies) and type(s) of classified 
material. 


- the ADP system configuration and locations consist of 
stand alone microcomputers located in spaces with 
controlled access. 


- the criticality of the mission is low, the present 


manual system can be used effectively, although 
somewhat less efficiently. 


ae 


The following outline provides an overview of this 

thesis: | 

CHAPTER 1. The first chapter provides a discussion of the 
DON accreditation process. 

CHAPTER 2. The second chapter is an evaluation of the first 
step in the accreditation process: risk analysis. 

CHAPTER 3. The third chapter is a summary of the remaining 
steps in the accreditation process. 

CHAPTER 4. The fourth chapter is an evaluation of the USGS 
baseline security model. 

CHAPTER 5. The fifth chapter is a proposed alternative to 
conducting a risk analysis. 

CHAPTER 6. The sixth chapter is a summary of conclusions 


and recommendations. 
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fi, eee ACCREDITATION PROCESS 


This chapter provides a discussion of the key elements 
of the accreditation process. Guidance pertinent to 
achieving ADP system accreditation is found in OPNAVINST 
Szo9.1A, the Department of the Navy Automated Data 


Processing Security Program. 


A. GENERAL 

The Designated Approving Authority (DAA) is an official 
assigned responsibility co accredit ADP elements, 
activities, and networks under that official's jurisdiction. 
Specific identification of this individual depends upon the 
ADP environment; defined by the level of data processed, the 
security mode of operation, ADP system configurations and 
locations, and the criticality of the ADP system to the 
organization's mission. 

Accreditation is the DAA's' formal declaration that 
appropriate ADP security countermeasures have been properly 
implemented for the activity's ADP systems or networks 
consistent with the particular level of data protection 
required and that the applicable steps in the accreditation 
process identified by the DAA are complete. 

The accreditation process is the means’ whereby 
information pertaining to the security of an activity's ADP 


computer systems or networks is collected, analyzed, and 


aS 


submitted for approval to the appropriate DAA. The 
individual steps of the accreditation process vary by level 
and type of data. Accreditation requirements are defined by 
Department of Defense, Director of Central Intelligence, and 
Department of the Navy regulations. The DAA is responsible 
for ensuring that the pertinent instructions and regulations 
are followed. The DAA evaluates his activity's ADP program 
to ensure compliance. 

Naval activities are either accredited or IGE 
accredited. If an activity is not accredited, computer 
systems or networks may operate if the appropriate DAA has 
issued an interim authority to operate. Interim authori 
to operate is: 

- granted for a fixed period, generally one year, 

- based upon an approved activity ADP security plan, 

- contingent upon | certain conditions being met (e.g., 
standard operating procedures being strengthened or 
TEMPEST! being certified). 

Accreditation becomes effective when a formal, dated 
statement of accreditation is issued. The statement of 
accreditation will identify: 

- the computer systems or networks being accredited, 

- the applicable level of data, 


- the security mode of operation. 


ITEMPEST is defined as the study and control of 
Spurious electronic signals emitted from ADP equipment. 
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A review will then be made at least every five years to 
verify that accreditation is still merited. This action may 
occur sooner if the DAA determines that a change has been 


mace which voids the accreditation conditions. 


B. ACCREDITATION REQUIREMENTS FOR LEVEL I AND LEVEL II DATA 

As discussed Lye the ign gleyehb(chepkieygiy shipboard 
microcomputer systems have the capability to process 
classified data (Level I) or unclassified data requiring 
special protection (Level II) and do so in the dedicated 
mode, which according to OPNAVINST 5239.1A makes the 
commanding officer the DAA. Commanding officers who are 
their own DAA will: 

(1) Conduct a risk assessment, 


(2) Develop a Security Test & Evaluation Plan (ST&E) and 
Conauct “an ST&E, 


(3) Document the ST&E test results, 
(4) Develop a Contingency Plan, 


(5) Develop an Activity ADP Security Plan (AADPSP) and 
submit it for COMNAVDAC approval, 


(6) Prepare the accreditation support documentation, 


(7) Issue a Statement of Accreditation as described in 
patagr@aen 3.3¢C Of OPNAVINST 5239.14, 


(8) Forward information copies of the Statement of 
Accreditation to COMNAVDAC. 


This thesis is concerned mainly with the accreditation 
process as it relates to the shipboard microcomputer 


environment where the Commanding Officer is the DAA. 


ae 


The next chapter discusses risk analysis, the first step 


in the process. Steps 2-8 are addressed in Chapter 3. 
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III. RISK ANALYSIS 


A. GENERAL 

The initial step in the accreditation process is to 
conduct a risk analysis. Two methods are used by the DON 
for conducting risk analyses, which are outlined in Appendix 
E of OPNAVINST 5239.1A. Appendix E recommends that an ADP 
Security ree be conducted first in order to determine 
which of the two methods should be used by defining the 
scope of the risk analysis effort. The purpose of this 
chapter is to present the ADP security survey and risk 
analysis Lone the use en microcomputers aboard 
cruiser/destroyer type ships. The risk analysis is 
accomplished using the method indicated by the security 


——_—Lo 


survey. | 

Within this chapter the ADP security survey and risk 
analysis Methods I and II are briefly discussed. Then the 
ADP security survey and risk analysis method used in the 
shipboard microcomputer environment are evaluated. Finally, 


an ADP Security Survey pertinent to shipboard microcomputers 


is included as Appendix A of this thesis. 


B. OPNAVINST 5239.1A ADP SECURITY SURVEY 
The ADP Security Survey has two sections. The first 


section describes the ADP system and the second section 


Ig 


summarizes the site security profile, which encompasses 
environmental issues and physical security. 

The information contained in the survey is derived from 
the author's knowledge of the shipboard environment and the 
knowledge of ADP security specialists from NARDAC San 
Francisco, California. The information is accurate to the 
extent that it is representative of what one would expect to 
find, in most ships, consistent with established policies 
a practices. Limitations of the structure of the ADP 


Survey are addressed later in this chapter. 


C. OPNAVINST 5239.i1A RISK ASSESSMENT METHOROEOGy 

A risk assessment involves a detailed examination of the 
assets and procedures of the ADP activity. An enumeration 
of the ADP activity's vulnerabilities and the threats that 
may exploit the vulnerabilities, resulting in destruction, 
disclosure, or modification of data, or denial of ADP 
services 1s critical to the successful completion of the 
risk analysis. Additionally, a risk assessment considers 
the current status and mission of the ADP activity. The DAA 
(as stated above, in the case of a ship the DAA is the 
commanding officer) determines which risk assessment methods 
will be used based on the complexity of the ADP environment, 
as determined in the ADP Security Survey (see Appendix A). 
As previously stated the ADP environment is governed by the 


level of data processed, the security mode of operation, the 
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ADP system configurations and locations, and the criticality 
of the ADP system to the organization's mission. 

Two risk assessment methods are provided in Appendix E 
of OPNAVINST 5239.1A. Method I is the standard method for 
use in most ADP environments. Method II is for use in less 


complex ADP environments. 


Pee METHOD I OVERVIEW 

Risk Assessment Methodology I as presented in OPNAVINST 
5239.1A consists of the following major steps. 

1. Asset Identification and Valuation 


a. List and describe each asset. Particular attention 
should be given to valuation of data assets since 
these typically represent the greatest risk of 
substantial loss. 


b. For each asset determine the impact value for each 
applicable impact area, where impact is defined as 
destruction, disclosure, modification of data, or 
denial of service to users. (Impact value ratings are 
found in OPNAVINST 5239.1A, Table E-2.) 


c. Provide documentation to support the impact value 


rating assigned and identify the cost included in the 
impact values. 


2. Threat and Vulnerability Evaluation 


a. List and describe all the threats, vulnerabilities, 
and existing countermeasures against each threat. 


b. Give examples of how the threats might exploit the 
vulnerabilities and penetrate the existing 
countermeasures. 


c. Indicate the impact area(s) to which each threat 
applies. 


a. Estimate the frequency of successful attack for each 
applicable impact area for the threat. 
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e. Justify the selected frequency of successful 
eecleics 


3. Computation of the Annual Loss Expectancy (ALE) 
Calculate the estimated potential annual dollar loss 
to the activity based upon the identified threats, 
vulnerabilities, and existing countermeasures, thus 
determining the activity's overall ADP security posture. 
This calculation is called the ALE and represents a 
quantitative estimate of the potential average yearly 


financial loss resulting from modification, destruction, or 


Gisclosure of data, or denial of services becausemie. 
existing vulnerabilities (i.e., flaws or weaknesses) which 
may permit identified threats to be realized. The ALE 


provides a dollar value baseline for determining the current 
ADP security posture and for accomplishing a cost-benefit 


analysis of new countermeasures under consideration. 


4. Evaluation and Selection of AgGaitlvoncan 
Countermeasures 
a. Identify additional countermeasures which could be 


applied to the activity. 


b. Evaluate the effectiveness of each proposed counter- 
measure to reduce the identified vulnerability and 
indicate the impact on the frequency of successful 
attack for the applicable threat(s). 


c. Determine the cost-effectiveness of each proposed 
countermeasure by analyzing the effect of its 
implementation on the ALE caused by the reduction in 
the frequency of successful attack. For a counter= 
measure to result in a monetary savings, the amount 
Saved over the life cycle of the countermeasure must 
exceed the cost of installation and implementation. 
Any countermeasure which satisfies this test is cost- 
effective. Threats which have the greatest potential 
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for harm based on their impact on the ALE indicate 
where to apply countermeasures. 


a. Recommend to the commanding officer an implementation 
schedule for all. countermeasures having a return on 
investment (ROI) greater than one. 

5. Proceed with Accreditation Process 
A brief comment regarding Step 2 is in order before 
proceeding. If Level I or II data are processed by the 
system, then this portion of the risk assessment should be 
classified at a level appropriate to that data, failure to 
do so could result in exceptionally grave consequences. 


This has not been directed by OPNAVINST 5239.1A, however, it 


seems appropriate. 


Pee METHOD IT OVERVIEW 

Risk Assessment Methodology II contains all of the 
essential elements of Method I, but does not provide the 
degree of detail of Method I. Also Method II does not 
provide for the interaction of threats and evaluation of 
threats by impact areas as does Method I. It is therefore 
limited to use in less complex ADP environments. 

Risk Assessment Methodology II as presented in OPNAVINST 
5239.1A consists of the following major steps. 

1. Asset Identification and Valuation 

All of the assets of the ADP activity or network are 


identified and assigned a dollar value based on the impact 


of modification, destruction, disclosure, and denial of 


Zu 


service. In all cases, the risk assessment documentation 


will provide justification for the dollar values assigned. 


2. Threat'and Vulnerability Evaluation and Annual Loss 
Expectancy (ALE) Computation 


All of the threats are identified and assigned a 
threat value based on the probability that they will exploit 
vulnerabilities and successfully attack an asset. The 
threat values are based on available information and experi- 
ence, evaluating vulnerability in the light of existing 
countermeasures. 

The document used to compute the ALE is the risk 
assessment matrix. Assets and their impact values are 
listed in columns and the threats are listed in rows. The 
ALE computation step is a series of mathematical computa- 
tions which reflects the summation of the products of all 
impact values (the value of loss or compromise of the asset) 
and threat values (the probability that the threat will 
Occur). (This process assumes threats are mutually exclu- 
Sive and does not account for their interaction.) 

3. Selection of Additional Countermeasures 

The total ALE provides a measure of the current com- 
mand security practices, the risks, and provides a baseline 
for evaluating which additional countermeasures would best 
improve the overall ADP security posture. Countermeasures 
intended to significantly reduce the vulnerabilities posed 
by the threats having the highest annual loss expectancies 


are to be implemented first. 


22 


The document used to determine priorities of the 
additional countermeasures is the additional counter- 
measures selection worksheet. A revised ALE is calculated 
using the reduced threat value in light of the additional 
countermeasure to be implemented. The annual savings is the 
difference between the original and revised ALE's. The 
return on investment is calculated by dividing the annual 
Savings by the annual cost of the countermeasure. Counter- 
measures are normally implemented in descending order based 
upon return on investment. Deviations from this guideline 
may be necessary because of budget constraints and require- 


ments of higher authority. 


F. SUMMARY 

Detailed procedures, forms, and tables for completing 
the risk assessment are provided in Appendix E of OPNAVINST 
5239.1A. Assets should be categorized as: (1) software, 
(2) data, (3) hardware, (4) administrative, (5) physical, 
(6) personnel, or (7) communication. The dollar amount 
assigned to an asset for each impact area (destruction, 
disclosure, and modification of data, denial of service to 
users) represents the importance of not allowing the 
particular type of damage to occur. In other words, the 
dollar amount assigned represents how much money should 
reasonably be spent to avoid a single incident of the type 


being considered. 
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In all cases the risk assessment docimentationesiuoee 


- document the assumptions used in determining asset 
dollar values, 


- provide documentation to support the impact value 
rating assigned and identify the costs included in the 
impact value. 


G. ANALYSIS OF THE ADP SECURITY Sue iy 

One limitation of the OPNAVINST 5239.1A Security Survey, 
contained in Appendix E of the instruction, is that it does 
not provide the DAA with a valid means of determining 
whether to use Risk Assessment Method I or Method II, the 
stated purpose for conducting the survey. There is no quan- 
titative measure or logical design which gives clear-cut 
guidance regarding which method should be used. 

Section I, question B asks for the dollar value imeaen 
Of loss and cost to replace. At least two problems occur 
which highlight the difficulty of providing cleareau. 
quantitative guidance: 

- First, the dollar value for data ultimately used in the 
Annual Loss Expectancy calculation, appears to be more 
oriented toward justifying expenditures for counter- 
measures than reflecting the true impact of compromise. 
(For instance, step 3 of Risk Assessment Method I 


states that the ALE provides a dollar value baseline 
for determining the current ADP security posture and 
for accomplishing a cost-benefit analysis of new 
countermeasures under consideration). Additionally, 
the impact of the loss of classified information in 
dollar terms and the probability that a threat impacts 
an asset may be impossible to accurately assess. 


- Second, the amounts disregard the anticipated life of 
the equipment. The values should be discounted to pro- 
vide a net present value analysis, which would provide 
a more accurate assessment of system value versus 
present cost. 
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Section II of the survey lists several vulnerabilities 
and the operating countermeasures and asks the respondent to 
assess the risk as high, moderate, or low. Appendix F of 
OPNAVINST 5239.1A provides limited guidance relative to how 
this is to be accomplished. For instance, section F.2 
provides some guidance for completing the security survey as 
it relates to software countermeasures. However, the terms 
high, medium, and low used to describe the confidence level 
associated with these countermeasures are only defined in 
general terms (e.g., the confidence level for password pro- 
tection from visual observation: "Suppressing the printing 
of the password is rated high, while other protection 
mechanisms are rated medium"). The respondent must make a 
Subjective evaluation of the countermeasures! effectiveness. 
Also, section F.3 provides some guidance for completing the 
security survey as related to hardware countermeasures. 
Again the respondent must subjectively evaluate the counter- 
measures' effectiveness. An example is the level of confi- 
dence provided by Protection-State Variables, "Depending 
upon how well the system software uses protection-state 
variables, this countermeasure ranges from low to high." 

As the analysis suggests, the choice of whether to use 
Method I or II is based primarily upon subjective judgments 


of the DAA. 
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H. AN ALTERNATIVE TO THE ADP SECURITY SUR 

A pragmatic approach that is most often used in practice 
by security specialists at ‘NARDAC, San Francisco, 
California, is to determine which method to use based on the 
following three criteria: 


- if the system cost exceeds some minimum amount (in 
practice approximately $1,000,000), 


- and Level I or II data are used in the system (classi- 
fied information and unclassified information requiring 
special protection), 


- and the ADP system is critical to the accomplishment of 
the organization's mission; 


then Risk Assessment Method I is used. If any one of the 
three criteria is not met, then Method II is used. This 
approach is used because the survey does not provide the DAA 
with adequate guidance (Sharp, 1986). 

The first two criteria can be evaluated on the basis of 
archival data. Evaluation of the third criterion is made as 
follows: If nothing else changes, could the activity accom- 
plish its mission without the use of the ADP system? This 
is a question which the DAA should be able to answer without 
MUCH Gaia Teuiseys 

The following decision matrix depicts the decision 
aoe ane. 

Using the pragmatic approach, Risk Assessment Method II 
should be used in the shipboard microcomputer environment. .- 


This is true because the first and third criteriavareeaes 
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So teremecosl > 51M 


OS AND =e 
LEVEL I OR II DATA PROCESSED 
AND 
ADP IS MISSION CRITICAL 
Vv 
USE METHOD I USE METHOD II 


met, the system cost is less than $1,000,000 and the ship- 
board microcomputer system is not mission critical. 

Appendix B contains a completed Risk Assessment for the 
use of shipboard microcomputers using Method II. The risk 
assessment matrix and additional countermeasures worksheet 
were completed in accordance with instructions outlined in 
Appendix E of OPNAVINST 5239.1A and Chapter II of this 
thesis. The risk assessment matrix iS a summary of the 
threats associated with the shipboard microcomputer environ- 
ment. The additional countermeasures selection worksheet 
lists respective countermeasures which will reduce the 
threat. Threat values were taken from Table E-1 of 
OPNAVINGST5239.1A. Prices for the countermeasures were 
taken from a recent computer products catalogue (DEVOKE Data 
Products, Summer/Fall 1985). 

The following section is an analysis of the risk assess- 
ment process which discusses some of the limitations 


associated with Method II. 
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I. ANALYSIS OF RISK ASSESSMENT METHOD, GE 
There are at least three problems with the method used 
for conducting microcomputer risk analysis: 
(1) One is that even though this method is for use in 
less complex ADP environments, it is still mainframe 


OrLented- 


(2) The second involves the method currently used for 
calculating the Annual Loss Expectancy (ALE). 


(3) The third arises from the practice of selecting 
countermeasures based upon their respective ROI. 


The first problem is understandable in that the Navy has 
amassed far more experience in the mainframe environment 
than any other. However, this places an undue burden on 
activities which must use Method II, but do not have the 
level of computer expertise that would be found in the main- 
frame environment. In the short term this createsmed 
problem. In the long term, as the use of microcomputers 
proliferates, instructions will become oriented toward a 
more diverse audience and at the same time the individuals 
using the instructions will be more “computer literate." 
(Nolan: -197 5) 

The second problem requires a different type (oa 
analysis. The ALE has two components, the impact value 
rating (the dollar impact of disclosing sensitive data) and 
the threat values (the probability that the threat will 
OCeUN) . The ALE is the product of the impact value rating 
and the threat value, summed for each asset to yield the 


TOTAL ALE BY INDIVIDUAL THREAT. The ALE's for éacaH 
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individual threat are then summed to determine the TOTAL 
ALE. However, the dollar value of compromised classified 
information is difficult to determine. Therefore; impact 
values, based on the estimated damage caused by compromised 
Classified information, are suspect. Additionally, even if 
the methods used to calculate threat values were sound, the 
threat values must be rated as either high, medium, or low, 
but no quantitative guidance regarding what constitutes a 
high, medium, or low probability is given. Personnel 
conducting the risk assessment are therefore left with their 
best judgment and the use of historical data, if available, 
to determine the range of values which defines whether the 
threat for a given asset is high, medium, or low. The 
validity of the process is further diluted when the system 
type is new and little historical data exists to support 
quantitative analysis. 

One interpretation of the method used to calculate the 
ALE is that if one manipulates the numbers and argues 
persuasively enough (which the method allows) the cost of 
any countermeasure can be justified. This could foster an 
atmosphere of free spending which clearly violates the 
tenets of the DON acquisition process. “The author's opinion 
is that a more cost effective means for identifying and 
fulfilling ADP security requirements can be developed. 

The third problem is that selecting countermeasures 


based upon ROI does not support a systemic approach to 
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providing ADP system security. For instance, if two or more 
countermeasures, operating interactively, provide the 
optimum ADP system security, it is unlikely that Method II 
(or Method I) will reveal this (i.e., that the respective 
countermeasure's ROI will indicate the optimal system 
COnELGuUrAaELOn): 

A strong argument can be made that in the shipboard 
Microconpucer environment, providing security while. 
processing Level I information in the dedicated security 
mode is people dependent. The dominant consideration is 
that access to information is granted based o the individual 
processing the information possessing the appropriate 
security clearance and the need to know. The shipboard 
microcomputer system, by itself, does not impose any unique 
security requirements (with the exception of TEMPEST 


considerations). 


irs PERSONNEL AND INFORMATION SECURTEY 

OPNAVINST 5510.1G is the Navy's Personnel and Informa- 
tion Security Manual. This instruction contains provisions 
for the assignment of an ADP Security Officer and provides 
guidance pertinent to the administration of personnel and 
information security. 

Personnel and information security depends heavily upon 
procedural controls. The officers and men serving onboard 
ships are familiar with personnel and information security 


procedures and the shipboard environment provides the 
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required administrative support (e.g., security clearances 
are maintained and access to classified information is 
granted on a need-to-know basis). Given the argument that 
the shipboard microcomputer system, in and of itself, does 
not impose any unique security requirements and OPNAVINST 
5510.1G contains provisions for the assignment of an ADP 
Security Officer and provides guidance pertinent to the 
administration of personnel and information security, one 
approach would be to cover microcomputers under’ this 
imistruction. 

If this were done, the following decision diagram would 
depict the decision process discussed above: 

SyYoreM CoGor > SiM 
YES <—— AND ——_———_——> NO 
r/o teoketT DATA PROCESSED 
: AND 


ADP IS MISSION CRITICAL 


Mee METHOD I 


. 
| Is 
YES < SECURITY —* NO 
SYSTEM | 
DEPENDENT 
a VA 


USE ME LHiOD: TE US OPNAY INST 5510.1G 
FOR CONDUCTING FOR GUIDANCE PERTINENT 
RISK ANAL AO a Ee Wier Ye 
CONDUCT TEMPEST 
SURV iY 
William E. Perry, the executive director of the Quality 


Assurance Institute, Orlando, Fp eoea ce, Supports this 


analysis of the microcomputer security problem. Perry 


ou! 


(Perry, 1986) cites the following questions which must be 
addressed relative to microcomputer security: 


- "Didn't end users already have the same information 
before the advent of microcomputers?" 


- "Do microcomputers really pose a significantly new 
security risk?" 


- "Aren't the existing security policies, procedures, and 
standards adequate to address microcomputers?" 


His analysis concludes that the problem is personal 
security not microcomputer security. The information and 
programs of security concern are given to individuals, not 
machines. Therefore, the real problem is a people security 
problem and not a computer problem. If security is directed 
at machines, it misses the real problem. He further states 
that hardware and diskette security is a physical security 
problem. The key is to establish and follow policies and 


procedures laid down by management. 
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ft eo ooh dee ACCREDITATION PROCESS, 
TpbeRES Tt OF THE STORY 


The preceding chapter dealt with the first and most 


controversial step in the accreditation process: risk 
assessment. This chapter provides a discussion of the 
remaining steps in the accreditation process. While the 


discussion is general, the focus is on the process as 
defined by the shipboard microcomputer environment in which 
the commanding officer is the DAA. Table 4.1 lists the 
steps in the DON Accreditation Process as set forth in 


OPNAVINST 5239.1A. 


TABLE 4.1 
DON ACCREDITATION PROCEDURES, OPNAVINST 5239.1A 
(1) Conduct a risk assessment 


(2) Develop a Security Test & Evaluation Plan and conduct 
(ST&E) 


(3) Document the ST&E test results 

(4) Develop a Contingency Plan 

(5) Develop an Activity Automated Data Processing Security 
Plan (AADPSP) and submit it for Commanding Officer SS 
Data Automation Command (COMNAVDAC) approval) 


(6) Prepare the accreditation support documentation 


(7) Issue a Statement of Accreditation as described in 
paragraph 3.3c 


(8) Forward information copies of the statement of 
Accreditation to COMNAVDAC 
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A. STEP 2: DEVELOP A SECURITY TEST &  EVADUATI 
CONDUCT A SECURITY TEST S& EVADUATICH 


When the commanding officer is the DAA, the ST&E is the 
activity's responsibility. The scope of the ST&E depends on 
the level of data processed and the security mode of opera- 
eavGiae The results of the risk assessment determine the 
level of detail and scope required for the ST&E. 

The purpose of conducting an ST&E is to obtain technical 
information to help the DAA decide whether or not to 
accredit an ADP activity or network. The ST&E consists of 
two interrelated phases. The first phase determines whether 
the necessary countermeasures have been installed, and the 
second phase determines whether the installed counter- 
measures are working effectively. 

1. Mandatory Procedures 

The following steps are applicable to all ADP 
activities for which the commanding officer is the DAA. 


a. Identify qualified individuals to perform the steps 
outlined below: 


(1) ADP security 

(2) System software/hardware 
(3) Application software 

(4) Telecommunications 

(5) Emanation security 

(6) Physical security 


(7) Personnel, procedural, and administrative 
security 
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(8) User/customer functions: OPNAVINST 5239.1A 
states that when possible, it is preferable for 
each step to be performed by different individ- 
uals. Because of the scope of the microcomputer 
system used in the shipboard environment 
(cruisers/destroyers) this will neither be 
possible nor necessary. It would be coincidental 
that qualified ADP personnel are assigned in 
combatants because these ships do not require 
personnel with ADP skills. It is therefore 
unlikely that there will be enough qualified ADP 
personnel so that a different person can perform 
each of the steps. Additionally, in the ship- 
board microcomputer environment, given the neces- 
sary reference material, one person should be 
able to complete all 8 steps easily. 


Review the risk assessment for currency and accuracy. 
Identify and analyze the nature of the threats and 
vulnerabilities and their respective countermeasures. 
This provides the basis for the development of the 
ST&E plan. 

Develop the ST&E plan. The plan should describe how 
each countermeasure is to be tested in order to deter- 
mine its effectiveness. If unanticipated situations 
arise while the ST&E is being conducted, the ST&E 
should be modified accordingly. 


(1) The ST&E should address all elements of the ADP 
security environment: 


- Hardware 

- Software 

- Physical facility/security 

- Personnel 

- Communications 

- Emanations 

- Administrative/operating procedures 


- Data 
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_ (2) 


Bo. Vole 1a. 


The ST&E plan should include the following items 
for each element in (1) above: 


Test objectives 


A Plan of Action & Milestones (POA&M) for the 
test 


The test team organization 
Detailed test plans and procedures 
Test data 

Execute the ST&E plan 


Document the results of the ST&E. 


DOCUMENT THE ST&EY TEST eRESULTS 


The ST&E report documents the execution and results of 


the ST&E plan. The ST&E report also analyzes the findings 


of the ST&E plan and lists recommendations to correct defi- 


Giencies: 


The following is a sample ST&E report format 


taken from Appendix H of OPNAVINST 5239.1A. 


Index 


Executive Summary 


Body of Report: 


is ADP Security Environment 


a. 


De 


Hardware Configuration 
Software 

Physical Facility/Security 
Personnel 

Communications 


Emanations 
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as Administrative/Operating Procedures 


Is Data 
2% Test Objectives 
zy Test Results and Analysis 
a. Test results for each area and scenarios used 
oe Overview of general findings and 
recommendations 
eo Specific findings for each area 


- Summary of problem 
- Analysis of problem 
- Alternative solutions 


- Recommended solutions 


- Cost to implement, either actual oor 
projected, in terms of dollars or work 
hours 


- impact on system operation 


4. Analysis and recommendations regarding test 
approach and procedures and future system security 
testing. 

5s Proposed POA&M ope corrective actions and 


assignment of responsibilities. 


Seo lbP 4: DEVELOP A CONTINGENCY PLAN 

The Contingency Plan should fully document procedures 
for continuity of operations. The detail and scope of the 
plan depends upon the characteristics of the individual 
eemavity. The activity contingency plan should provide 
detailed procedures for all aspects of emergency, backup, 


and recovery operations. 
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STEP 5: DEVELOP AN ACTIVITY AUTOMATED DATA) PROCES 2] = 
SECURITY PLAN (AADPSP) AND SUBMIT IT FOR COMMANDING 
OFFICER NAVAL DATA AUTOMATION COMMAND ( COMNAVDAC) 
APPROVAL 


The activity ADP Security Plan (AADPSP) is a document 


which establishes and updates an activity's ADP security 


program. The purpose of the AADPSP is to: 


—_= 


promulgate activity ADP security policy and provide 
guidelines for all ADP security procedures to be used 
by the activity, 


document the current ADP security environment, estab- 
lish program objectives, and outline a POA&M for pro- 
gram implementation. The POA&M 1S critical to the 
Success of the AADPSP. It identifies all activity ADP 
elements and outlines a schedule for completing the 
steps of the accreditation process for each ADP 
element. 


Appendix H of OPNAVINST 5239.1A discusses the AADPSP and 


indicates that it should address the following areas: 


The scope of the AADPSP. 
The commanding officer's policy statement. 


The ADP security organization and assignment of 
responsibilities. 


Objectives for implementing the DON ADP security 
Program at the activity. 


An overview of the current ADP security environment to 
include: 


(a) Hardware 

(b) Software 

(c) Physical facility/security 
(ad) Personnel 

(e) Communications 


(f) Emanations 
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(g) Administrative/operating procedures 
(h) Data 
oe Eraining 
TP ote internal review 
8. Provisions for ADP security in life cycle management 


9. Provisions for ADP security in hardware and software 
eontiguration control 


10. Activity accreditation schedule identifying all ADP 
elements and a POA&M for completing: 


(a) Risk assessments 

(b) ST&Es 

(c) Contingency planning and testing 

(ad) Accreditations 
The AADPSP serves as a comprehensive document detailing the 
commanding officer's desired security posture and the 
ADPSO's plans for achieving these objectives. It ‘should be 
a living document for developing, updating, improving, main- 
taining, and managing ADP security requirements within the 
DON ADP activity. The ADPSO is responsible for developing, 


implementing, and updating the AADPSP. 


E. STEP 6: PREPARE THE ACCREDITATION SUPPORT DOCUMENTATION 

The purpose of the Accreditation Support Documentation 
is to provide information to support the request for 
accreditation. It provides evidence that the ADP activity 
has effectively implemented appropriate countermeasures 
consistent with the protection requirements for the data 


level and security mode of operation to be authorized. 
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Appendix H of OPNAVINST 5239.1A, section H.2.8 provides 
guidance for preparing the accreditation support 
documentation. 

The documentation includes information requested by the 
DAA, such as: 


1. the name, position, and telephone number of the ADP 
Security Officer (ADPSO) and ADP System Security 
Officer (ADPSSO) who will serve as a primary point of 
contact for the accreditation; 


2. the identification and location of all Automated Data 
Processing Equipment (ADPE), also equipment layout 
charts and engineering diagrams; 


3. line diagrams showing interconnection of ADPE, 
communications lines, and protection of the lines; 


4. the approximate percentage of each application cate- 
gory of data to be processed (identified by project or 
task) versus the level of data (Level I, II, or III) 
and the type within each level (e.g., classified, 
personal, financial); 


5. a description of the operating system and application 
software for ADP system, also descriptions of communi- 
cations and network dependent applications software 
for networks, if applicable; 


6. the current and proposed security modes of operation; 


7. a copy of the ADP Security Operating Procedures and 
other applicable command security directives (e.g., 
security incident handling procedures, procedures for 
control of operating system and application software 


MOGdLiication)- 
8. the risk assessment documentation; 
9. descriptions of all countermeasures; 
10. copies of previous system/network accreditations and 


interim authorities to operate; 
11. certification of compliance with security directives; 


12. the ST&E test plans; 
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13. the ST&SE test reports; 

14. TEMPEST accreditation, if applicable; 
15. physical accreditation, if applicable; 
16. the Contingency Plan; 

17. the Contingency Plan test results; 

mo. the AADPSP; 


19. and other documentation as required by ADPSO. 


Pee olBP 7: ISSUE A STATEMENT OF ACCREDITATION 

A sample statement of accreditation is contained in 
Appendix H of OPNAVINST 5239.1A, Figure H-7. 
GeeeolEP 8: FORWARD INFORMATION COPIES OF THE STATEMENT OF 

ACCREDITATION TO COMNAVDAC 
H. ANALYSIS AND COMMENTS ON STEPS 2 THROUGH 8 

Steps 2 through 8 provide the follow-up and validation 
for the result of Step 1, the risk analysis. 

i steps 2 and 3 

Both are concerned with developing the  ST&E, 

conducting the test, and documenting the results. The test 
has two interrelated phases: 


- determine whether or not the necessary countermeasures 
have been installed, 


- determine whether the installed countermeasures are 
working effectively. 


The first phase must ask the same question that is 
asked in the risk analysis. As is the case with risk 


analyses, determining whether oor not the necessary 
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countermeasures have been installed requires that the threat 
be identified and well defined. The second phase is an 
evaluation of the how effective the installed counter- 
measures are. Since this model selects the countermeasure 
with the highest ROI as determined by the risk analysis 
(which has already been identified as an imprecise, subjec- 
tive process), two questions arise: 


- is the countermeasure selected technically sufficient 
to counter the threat, and 


- is the countermeasure selected the most cost effecuu. 
to counter the threat. 


Step 2 1s designed to answer the first question. 
Unfortunately, due to the limitations associated with risk 
assessments, this model is unable to adequately answer the 
second question, a severe limitation. Periods of national 
fiscal austerity evinced by legislation such as Gramn, 
Rudman, Hollings initiatives dictates that we make cost 
effectiveness a priority. 

Appendix C contains an abbreviated ST&E used in 
conjunction with risk assessment Method II. This document 
was developed by the Naval Electronic Systems Engineering 
Activity, St. Inigoes, Maryland, and provides’ useful 
guidance. 

2. step 4 

Because the shipboard microcomputer system is not 

mission critical, a contingency plan iS not reguiimed: A 


loss of processing capability for a reasonable period of 
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time would be inconvenient, but would not adversely, affect 
the ship's mission since its function is administrative. If 
alternate hardware exists, however, its location shall be 
specified as well as the location of data/software 
diskettes, back-up diskettes, and supplies, in accordance 
with good management practice. Appendix D is aesample 
Contingency Data Form used by NARDAC, San Francisco, which 
is suitable for use in the shipboard microcomputer 
environment. 
3. Steps 5 Through 8 

The AADPSP is basically a policy statement which 
includes guidelines and a timetable for meeting program 
objectives. Steps 6 through 8 are procedural. 

Theoretically, with minor modifications to how 
countermeasures are selected, Steps 2 through 8 could be 
used independent of the risk analysis process if an 
acceptable alternative for conducting risk assessments were 
identified. The ability of a particular methodology to 
ensure cost effectiveness is the criteria which establishes 


acceptable alternatives. 
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V. THE US GEOLOGICAL SURVEY BASELINE SEGUR Ti Sov ns 


A. INTRODUCTION 

The baseline security model was developed by the USGS 
because models which had been used previously were directed 
toward large computer centers. The premise was that these 
models were inappropriate for use in their microcomputer 
installations, which were expanding in number. Factors 
critical to development of the baseline security model were 
the organizational structure and the computer security 


environment within the USGS. 


B. GENERAL 
The method employed within the USGS baseline security 
model: 


- determines which of six categories describes the 
computer system in question, and 


- implements the minimum acceptable security requirements 
For that careqor,. 


The three system attributes which must be reviewed in order 
to determine the computer system category are: 

- data sensitivity, 

- the system's users, and 


- access afforded the system & data resources (Cecula, 
OS'S ie 


Figure 5.1 is a tree diagram which represents how the 


USGS security category is determined. The first 
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determination is whether or not the data are sensitive. 
Datameaxre Sensitive if they are proprietary, critical to the 
mission of one of the agencies programs, or personal infor- 
mation. The second determination concerns the computer 
systems! users or user groups. If there is only one user or 
a eel group of users with homogenous needs, then the 
system is characterized as a single user system. The third 
determination involves physical access to the computer 
system. If system users can only gain access through 
another party then access is controlled. The set of minimum 
security requirements is then defined by the category of the 


computer system (Cecula, 1985). 























Yes No 
Sensitive 
| Data 
NY U7 
No Single Yes No Single Yes 
——-— user —————___ user 
system system 
No VY Yes No V Yes 
. ACCeSs Access 
| Controlled Controlled 
\ Y vi 
al. 2 3. #4 5 6 


Figure 5.1. USGS Security Category Decision Tree 


The category indicated by the tree diagram in Figure 5.1 is 


then found in the security requirements matrix (Table 5.1). 


45 


The letters in each column indicate by category whether the 


control or safeguard is required, suggested, or optional. 


TABLE VSe 


SECURITY REQUIREMENTS MATRIX 


Category 1 2 3 4 5 6 
Risk analysis R R R R R R 
Security officer R R R R R R 
Continuity of operations R Er R R R R 
Procurement requirement R R R R R R 
Physical security plan R R R R R S 
ADP ‘lori by, Lie R R R R R S 
Bra in eng R R. R R R ie 
Software certification R R R S = S 
Separate libraries R R O S S O 
Technical controls R R O O O O 
R = required, S = suggested, O = optional 


A typical USGA minicomputer site usually has at least one 
sensitive data base (Cecula, 1985). It would be used by a 
select group of people from the same office, placing it in 
category 3. The USGS baseline security model then mandates 


the following: 
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- conduct a risk analysis 
_- assign an information security officer 
- review all positions requiring access to the computer 
system for security sensitivity and place each one into 
one of three position-sensitive categories 
- develop a training program 
- develop a physical security plan 
- develop a continuity of operations program 
- certify sensitive application software 
- install reasonable physical safeguards 
- future contracts must provide the appropriate security 
level. 
Se ANALYSIS OF THE USGS BASELINE SECURITY MODEL 
The positive aspect of the USGS model is that a 
determination as to which of the six categories is appro- 
priate can be readily accomplished, thereby establishing 
categories of risk based upon system characteristics. This 


provides the conceptual basis for security baselines. 


The negative aspect of this model is that all security 


categories require a risk analysis. Cecula states that risk 
analysis 1s time-consuming, costly, and often yields 
questionable results. Common sense dictates that these 


limitations are further exacerbated when the process is 
conducted by a person unskilled in information security. 

The experience of agencies within the U.S. Geological 
Survey which use microcomputers extensively is that these 


agencies Ey ptcal ly lack ADP expertise, particularly 
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individuals skilled in information security (Cecula, 1985). 
These factors seem to be reasonable expectations within the 
surface forces of the DON as well. This is because in all 
but the most unique circumstances, the requisite expertise 
will be unavailable aboard ships. It is not likely thee 
individuals with the requisite skills will be billeted in 
ships, Since the risk analysis process is mainframe/computer 


Genter oriented. 
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VI. A PROPOSED SOLUTION, THE NELSON/DOD MODEL 


A. GENERAL 

This model is based on the argument that the conven- 
tional risk analysis mOeNed oucaNy is unsatisfactory. As 
discussed previously, the major problem with conducting risk 
analyses is the way that the ALE is calculated. The ALE has 
two components, the impact. value rating (the impact, in 
dollars, of disclosure of sensitive data) and the threat 
values (the probability that the threat will occur). The 
ALE is the product of the impact value rating and the threat 
value, summed for each asset to yield the TOTAL ALE BY 
INDIVIDUAL THREAT. The ALEs for each individual threat are 
then summed to determine the TOTAL ALE (OPNAVINST 5239.1A, 
feoee, F.5.3). This procedure is the same as the expected 
value approach which is used for decision making under risk 
(Turban and Meredith, 1985). In the expected value 
approach, decision situations in which the chance (or proba- 
bility) of occurrence of each state of nature is known (or 
can be estimated) are defined as decisions made under risk. 
The expected value of an alternative is the sum of all 
possible payoffs of that alternative, weighted by the proba- 
bilities of those payoffs occurring. Expected values 
calculated using subjective payoffs and probabilities (when 


payoffs and the probability that a particular state of 
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nature will occur must be estimated) are subject to the 
biases of the individuals making the estimations (Turban and 
Meredith, 1985). 


The expected value E(aj) is defined as: 


E(aj) =. P1011 + P2912 + --- = 24P5°i;5 
where, 
a; = Alternative 1 
Sj = State of nature j 
Pj = Probability that state of nature S5 will 
occur 
Oj4 = Payoff resulting from the selection of 


alternative a; when Sj occurs 


This method is based upon establishing a ceiling amount 
which should not be exceeded for providing safeguards and 
does not, therefore, lend itself to the identification of 
the most cost effective countermeasures. The expected value 
represents the maximum dollar amount that one should be 
willing to pay to safeguard the ADP system's assets. When 
dealing with Level I data, regardless of the ADP system 
configuration, the expected value approach using subjective 
probabilities may yield very large numbers. Level II data 
may also yield large values, but their characteristics are 
such that they are less likely to do so than Level I data. 

Using the ROI of different countermeasures to prioritize 
their implementation can be misleading due to the limita- 


tions expressed above and in Chapter II (e.g., problems 
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associated with the complexity of accurately estimating 
asset values, estimating the probability that a particular 
state of nature will occur, and using these estimated values 
in expected value calculations). Again, expected value 
figures are only useful for determining the maximum dollar 
amount that one should be willing to pay to safeguard a 
system's assets. The reality of funding projects with 
limited budgets necessitates that cost effectiveness become 


a major consideration in system development. 


Bee PURPOSE 

The purpose of this model is to provide a logical 
design, applicable in all ADP environments, which will 
identify the most cost effective means of providing for a 
particular system's security requirements. ries Locus of 

this model is on: 
- designing a logical method which will identify minimum 
requirements based on system characteristics as defined 


by the ADP environment, 


- identifying countermeasures which have been evaluated 
effective to meet the minimum requirement, and 


- selecting countermeasures which have ae lowest 
possible life cycle cost. 


ee PROCEDURES 

The remainder of this chapter is devoted to a discussion 
of the steps in the Nelson/DOD model which is intended to 
replace the risk analyses process used in the DON model. 


This model can be completed by the ADPSO with guidance from 


Sel 


the DAA. Using the Nelson/DOD model diagram (Appendix E) in 
conjunction with the following discussion is recommended. 
1. Define the ADP Environment 


a. Describe the system and its purpose, including manual 
systems being automated, 


b. What is the system configuration; 


- Hardware--mainframe, mini, micro, network, 
distributed system; 


- Operating system--does the system require 
concurrent processing? 


- What level of granularity! must the system support? 
- Software--what applications programs will be used 
and what concurrency/data integrity problems may 
result? 
c. What is the security mode of operation? 
dad. What level of information will be processed? 
2. Is the ADP System Critical to the Activity's Mission 
If the answer to 2. is No: Complete steps 3 through 
7 and proceed to page 55, step 10. 
If the answer to 2. is Yes: Continue to step 3. 
3. Is the Security Environment Open or Closed 
a. Closed Security Environment 
The security environment is closed if both of 
the following conditions hold true. 
a. Application developers (including maintainers, those 


individuals who maintain application programs) have 


1In the concurrent processing environment, granularity 
refers to the level or degree to which resources will be 
reserved for a single process based on the particular 
scheduling algorithm being used. The levels of granularity 
may be specified at either the file, record, or field level. 
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sufficient clearances and authorizations to provide an 
acceptable presumption by those responsible for 


safeguarding classified data that the 
developers/maintainers have not introduced malicious 
logics Sufficient clearance is defined as follows: 


where the maximum classification of data to be 
processed is Confidential or below, developers are 
cleared and authorized to the same level as the most 
sensitive data; where the maximum classification of 
Gata to be processed is Secret or above, developers 
have at least a Secret clearance. 


b. Configuration control provides sufficient assurance 
that applications are protected against the introduc- 
tion of malicious logic prior to and during operation 
of system applications (CSC-STD-001-83, Sect. 
Aoes.2.3)m . 


b. Open Security Environment 
The security environment is open if one of the 
following conditions holds true. 

a. Application developers (including maintainers) do not 
have sufficient clearance or authorization to provide 
an acceptable presumption that they have not intro- 
duced malicious logic. 

b. Configuration control does not provide’ sufficient 
assurance that applications are protected against the 
[IitGeCouctlonssa: Malicious logic prior to and during 
the operation of system applications. 

- If Level I or II data is being processed and the 
system if operating in the open security environ- 
ment, ensure that measures are taken which will 


place the system in the closed security 
environment. 


4. What Unique Security Requirements Result from Using 
the ADP System? 


Given the fact that Level I or II data are being 
processed, define threats which result from using the ADP 


Sot elm . 
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5. For Each Unique Security Requirement, Determine If 
Technical Controls/Countermeasures Are Necessary to 
Satisfy the Requirement 


- If no: Use existing instructions pertinent to personal 
and information security/administrative and procedural 
controls (OPNAVINST 5510.1G). 

- If Yes: 1) Calculate the risk index; 


2) Using the appropriate Table select the 
minimum criteria class (see Appendix F). 


6. Do Products Exist Which Satisfy the Requirement 
Check the Evaluated Products List for products which 
will satisfy the unique security requirement (see Appendix 
G). List all products which satisfy the requirement. 


-~ If no "off-the-shelf" product exists, contract out 
(requirement = specification). 


The purpose of this step is to identify a range of 
products with various performance characteristics and prices 
which will satisfy the particular security requirement and 
provide alternatives for the DAA. Since the cost of 
hardware and communications 1s decreasing, one alternative 
which the DAA should consider is purchasing additional 
hardware to be used in the dedicated mode for Level I and II 
applications. 


yas Select the Most Cost Effective Countermeasure @Lon 
Each Unigue Requirement 


The importance of the last two steps is to provide 
alternatives and introduce competition, the Federal Govern- 
ment's chosen method for controlling costs (OMB Circular No. 


A~109). Both provide a formalized framework which will 
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assist the DAA in introducing cost effectiveness into the 
decision process. 


8. Calculate the Expected Value of the ADP system 
assets 


The Expected Value of the ADP system assets provide 


a maximum cost to be spent on the ADP system. 


9. Does the Expected Value Exceed the ADP System Cost 
Including Countermeasures and Implementation Costs 


- If Yes, proceed with Step 2 of the Accreditation 
Process; 


- If no, automating the system in the proposed configura- 
tion is not justifiable. 


The purpose of this step is to determine if the 
Expected Value of the system exceeds the cost of the 
proposed ADP system including implemented countermeasures. 
If this is false then the cost of the system as configured 


is not justifiable. 


10. Is Funding Available and Is the DAA Willing to 
Obligate Funds 


- If no, continue using the manual system; 


- If yes, continue to step 11. 


i. Calculate the Expected Value of the ADP System 
Assets 


The Expected Value of the ADP system assets provides 


a maximum cost to be spent on the ADP system. 


i . Does the Expected Value Exceed the ADP System Cost 
Including Countermeasures and Implementation Costs? 


- If yes, proceed with Step 2 of the Accreditation 
Process; 


- If no, automating the system as configured is not 
justifiable. 
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D. ANALYSIS 

The difference between the model proposed here andugeme 
OPNAV model is that the latter assumes the ADP system will 
be operating in the mainframe environment, while the former 
is more generally applicable. 

Providing cost effective system security may require 
creativity. Unfortunately, at least intuitively, it seems 
that creativity is a function of the knowledge level of 
system designers. However, complex environments imply that 
systems designers are knowledgeable, so in this environment 
the problem is minimized. Less complex system configura- 
tions may, to a greater extent, employ administrative 
procedures, which will rely less on technical knowledge. 
Again, this minimizes the impact of the unavailability of 
technical expertise. 

The model proposed here may replace the risk assessment 
process with a potentially more cost effective means of 
providing ADP system security. The model can be inserted 


into step (1) of the accreditation process listed below. 


DON ACCREDITATION PROCEDURES, OPNAVINST 5239.1a: 


(1) Use the Nelson/DOD Model to determine security 
requirements/countermeasures; 


(2) Develop an ST&E Plan and Cenaducclane te. 
(3) Document the ST&E test results; 


a. if test results are unsatisfactory, iterate steps 
Pane: 2. 
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b. reevaluate in light of additional countermeasures 
proposed in previous iterations; 


(4) Develop a Contingency Plan; 


(5) Develop an AADPSP and submit it for COMNAVDAC 
approval; 


(6) Prepare the accreditation support documentation; 
(7) Issue a Statement of Accreditation; 


(8) Forward information copies of the Statement of 
Accreditation to COMNAVDAC. 


All countermeasures selected in step (7) define the 


Trusted Computing Base” (TCB). 


<The Trusted Computing Base (TCB) is the totality of 
protection mechanisms within a computer system--including 
hardware firmware, and software--the combination of which is 


responsible for enforcing a security policy. It creates a 
basic protection environment and provides additional user 
services required for a trusted computer system. The 


ability of a trusted computing base to correctly enforce a 
Security policy depends solely on the mechanisms within the 
TCB and on the correct input by system administrative per- 
sonnel of parameters (e.g., a user's clearance) related to 
the security policy. 
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VII. CONCLUSIONS AND RECOMMENDATIONS 


A. SUMMARY 

The intent of this thesis has been to evaluate the 
process whereby DON computer systems achieve accreditation. 
Emphasis has been placed on the accreditation process as it 
applies to shipboard microcomputer systems, which highlights 


some limitations inherent to OPNAVINST 5239.1A. 


ae CONCLUSIONS 

A basic conclusion of this thesis is that the DON has 
selected metrics which are inappropriate to the optimum 
selection of countermeasures. Risk analysis, the first step 
in the accreditation process, provides the means’ for 
identifying the threat and selecting countermeasures. Indi- 
Vidual countermeasures are selected based on their respec- 
tive ROI, the ratio of annual savings to the annual cost of 
additional countermeasures. The annual savings are 
calculated by subtracting the revised ALE from the original 
ALE. Two elements make up the ALE, the asset impact value 
and the threat values which are estimated for both the 
original and revised ALE's. These estimates are suspect 
because it can be argued that the values which comprise the 
ALE can be manipulated to justify expenditures for counter- 
measures. The argument made here is that given an ADP 


system 1s Critical re an organization's mission, 
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countermeasures should be selected which systemically 
provide security in the most cost effective manner. The 
model developed in Chapter V is an attempt to accomplish 
EehitsS. 

The issue of what countermeasures should be employed to 
secure shipboard microcomputer systems and achieve 
accreditation is also dealt with in Chapter V., The 
Nelson/DOD model proposes the use of administrative proce- 
dures and TEMPEST certification as the means to achieving 


shipboard microcomputer accreditation. 


C. RECOMMENDATIONS 

The analysis provided leads a tomehne “eonclusion that 
at least in this situation administrative structure lags 
well behind technical change. Within the DON, this problem 
transcends the usual difficulties experienced in updating 
documentation. Administrative lag is also manifested when 
directives are promulgated in that these directives 
typically have limited applicability and a short useful 
life. 

Because OPNAVINST 5239.1A is mainframe/computer center 
oriented in an environment in which diverse mini-~ and 
microcomputer systems are becoming prevalent, it is such an 
is truction. There is, however, a remedy which provides 
some relief from this problem. 

Nolan's Information System Life Cycle Model (Gibson and 


Nolan, 1974) demonstrates the evolutionary nature of an 
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organization's information systems (IS). While the model is 
not generally useful as a planning device, it can be used to 
determine an organization's position in the IS life cycle 
COMeEnuUItT Once this position has been established, 
Management has an indication of where the organization's 
ADP/MIS function is headed, given the organization's 
requirements. This information can then be used to 
generalized guidance and instructions in such a manner as to 
extend their applicability and overall usefulness. 

Based on OPNAVINST 5239.1A and other factors, the 
author's conclusion is that the DON is in the contagion 
stage of Nolan's model. This stage is characterized by the 
unplanned (in the macro sense) proliferation of hardware and 
applications software with little emphasis being placed on 
information as an organization resource. 

Organizations in the contagion stage are likely to 
experience problems associated with the proliferation of 
hardware and applications, while having few qualified 
individuals to perform necessary administrative functions. 
Management focus is on managing equipment rather than data. 
The problems experienced by the US Geological Survey and the 
DON associated with the lack of experienced personnel to 
provide analysis necessary for providing IS security is 
indicative of this situation. 

The solution to the problems of too few qualified per- 


sonnel and the necessity to conduct the complex computer 
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accreditation process is exacerbated by the size of the DON. 
[imethe shore term, the solution to the accreditation problem 
depends upon the DON's ability to implement alternate means 
of determining an ADP system's countermeasures which rely 
less on formal risk analysis, such as the Nelson/DOD model. 

However, the necessary conceptual elements comprising a 
possible long term solution are available. These elements 
are decision support systems (DSS) and distributed proces- 
Sang DSS are characterized as interactive computer-based 
systems that help decision makers utilize data and models to 
solve unstructured problems (Sprague and Carlson, 1982). 
Distributed processing is defined as a system in which 
peripheral small processors can completely process a 
transaction but are subordinate to one or more central 
processors. The peripheral machines are linked to the 
center, and the entire complex is designed in a coordinated 
fashion. Programs and data bases are centrally prepared and 
down-line loaded into the peripheral machines (Martin, 
1981). 

A DSS could be developed which would assist in the 
process of determining an information system's most cost 
effective set of security countermeasures, leading to 
systems accreditation. In essence, Appendix E could be 
automated. The DSS could then be distributed, utilizing the 


Defense Data Network (DDN), to various locations such as 
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NARDACS, where local organizations could use the system with 
the assistance of NARDAC personnel. 

The development of such a DSS requires the completion of 
the following, possibly as future research endeavors: 

- creation of a dialog subsystem; the capabilities of the 
system must be articulated and implemented through the 
dialog; 

- creation of a model subsystem; the capability to inte- 
grate data access and decision models (in this case the 
capability to model computer systems must be 


developed) ; 


- creation of a data base subsystem; this entails 
automating the Evaluated Products List for Trusted 


Computer Systems, and 


- link all components of the DSS using the DDN. 
Unfortunately, this recommendation exceeds the DON's 
present data administration capabilities and should only be 
undertaken when the DON's IS have become much more mature. 
Ironically, at that point the DON's need for the DSS will be 


much less dramatic. 
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APPENDIX A 


AUeeoseunRrtY SURVEY 


SECTION I. Basic Data. 


1. 


System Identification: Shipboard Microcomputer System 
( ) Office Information System 

(X) ADP System 

( ) Network 


System Description: 


In general, the system described here is intended to be 

representative of the type system presently being used 
in the shipboard environment, one which supports line 
functions aboard cruiser/destroyer type ships at sea. 
The system hardware components consist of a central 
Processing unit, keyboard, CRT, and printer. System 
software consists of an operating system, word 
processing, and database programs. The personnel using 
the system are primarily officers and chief petty 
officers, but could include any individual owning a 
microcomputer who is using it aboard ship. System data 
includes classified and unclassified message drafts, 
information covered under the Privacy Act, and 
information specific to each department including 
custody items, personnel qualifications, inventories, 
etc. System procedures should, at a minimum, address 
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access controls, means to ensure data integrity, and 
backup and recovery. 


Equipment Location: CO, XO, and Department Head's 
staterooms. 


System Operations Contact for Security: 


Name: ADP Security Officer Code: 
Ecler Room: Phone: 


Type of Data Processed and Security Mode of Operation 


PERCENT On 
PROCESSING SECURITY Me@@E 
TYPE OF DATA ahi OF OPERATION# 
Level I 
TOP yo eCRE at Dedicated Mode 
SECRET 2 | " 
CONFIDENTIAL 8 a 
Level II 
Privacy Act 19 i 
For Official Use Only 10 a 
Financial 10 
Sensitive Management 10 ™ 
Level IIt 40 7 
TOTAL 100% 
(*Note: Applicable security modes are: Compartmented, 


Controlled, Dedicated, System High, Multilevel, Limited 
Access, as defined in Appendix A of OPNAVINST 5239.1A.) 


Operating System and Standard Application Software 
Identifications: 


Any IBM PC Compatible DOS operating system, word 


processing, database management system, etc. 


Scope of System: (Check all thateapoty.) 


(X) Stand-alone and single controlled area (single CPU 
with single workstation). 
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( ) Shared logic and single controlled area (single CPU 
with multiple workstations). 


( ) Shared logic and more than one controlled area 
(single CPU with multiple workstations). 


( ) Multiple processors and single controlled area 
(multiple CPUs) 


( ) Used with a remote computer percent of the 
time. . 


(X) Other: Multiple stand-alone microcomputers and 
multiple controlled areas (many CPUS with many 
workstations). 


8. Total Value of System: $6,000 (Dollar value 
impact of loss and cost to replace). 


A. Equipment: $5,000 
B. Software: $1,000 
Ce. Data: $0 


The Level I data used in this system is transitive in 
nature. The predominant use of this data is in classified 
message drafts. Because it 1S not a stored data base the 
associated security problem is greatly reduced. 


The $0 value for data is justified if 3 conditions are 
met: 


- the system achieves TEMPEST certification, 
- training is conducted to maximize operator proficiency, 
thereby reducing operator error, unintentional disclo- 


Sure of Level I data, and data entry errors, and 


- management procedures mandate periodic back-up of all 
software data files. 


9. Mission Relatedness 
A. Primary Function(s) of the System or network: 
The function of the shipboard microcomputer system 
is to provide a more convenient means of conducting 


administrator. This is accomplished by providing 
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the CO, XO, and Department Heads a more expeditious 
means of accessing, updating, and manipulating 
data. The system also facilitates the preparation 


of messages. 


Be Contingency Plan Requirement: 

Because the system is not mission critical, a 
contingency plan is not required. A loss of 
processing capability for a reasonable period of 
time would not adversely affect the ship's mission. 
If alternate hardware exists, its location shall be 
specified as well as the location of data/software 
diskettes, back-up diskettes, and supplies. 

Section II. Site Security Profile and Minimum Requirements 


for Environmental and Physical Security. 


ie 


Vulnerability: Temperature or Humidity Outside 
Normal Range. 


Operating Countermeasures: (Check all that apply.) 


(x) Adequate heating and controls 
(x) Adequate cooling and controls 


( ) Only designated personnel operate controls 

( ) Functioning temperature and humidity recorder 

( )9) Funerionime temperature/humidity warning 
system 

(.) ..Othex; 


Assessment of Risk: 
(>) hioh ( ) Moderate (x) Low 


Vulnerability: Inadequate Lighting or Electrical 
Service. 


Operating Countermeasures: (Check all that apply.) 
(X) Adequate primary lighting 
(X) Adequate emergency lighting 
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(X) Adequate periodic checks of emergency lighting 
(X) Adequate primary power and outlets 


(ee PuUnCELOnInG power filters Or voltage 
regulators 

(X) Available backup power 

(ee Others. Battery back-up Ora soft faa 
capability 


Assessment of Risk: 

(etre (X) Moderate ( ) Low 
Vulnerability: Improper Housekeeping. 

Operating Countermeasures: (Check all that apply.) 


(X) Routine cleaning schedule is adhered to 

( ) Cleaning personnel are trained in computer 
room procedures 

( ) An ADP facility representative is present 
GQuring cleaning 

( ) Dust contributors are not permitted in 
equipment area (outer coats, throw rugs, 
drapes, venetian blinds, etc.) 

(X) Air-conditioning filters are cleaned/replaced 
regularly 

(X) Floors are polished with non-flake wax using 
proper buffer materials or properly damp- 
mopped 

( ) Carpet areas are vacuumed frequently and anti- 
static spray is used regularly 


CG weomoking, eating, and drinking are Hot 
permitted in equipment areas 
(=) -Orcher: 


Assessment of Risk: 

CP itera ( ) Moderate (X) Low 

Threat: Water Damage. 

Operating Countermeasures: (Check all that apply.) 


(X) Water/steam pipes are not located above 
equipment 

(X) Water/steam pipes are inspected at regular 

intervals 

Functioning humidity warning system 

Dry pipe sprinkler system 

Plastic sheets available to cover susceptible 

equipment 


ON NO 
Nee Me See” 
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NNN 


(X) Water detection devices 
(CMR ROcher: 


Assessment of Risk: 
(ee ae oie ( ) Moderate (X) Low 
a Threat: Fire. 
Operating Countermeasures: (Check all that appivs 


(X) Up-to-date fire bill posted 

(X) Periodic fire drills 

(X) Training--fire prevention methods 

(X) Training--emergency power down procedures 
(X) Training--knowledge of fire detection system 
(X) Training--use of fire extinguishers 

(X) Training--use of fire alarm system 

( ) Training--evacuation plan 

(X) Training--individual responsibilities in case 
of fire 

Functioning emergency power-off switches 
Sprinkler system installed 

Halon system installed 

Carbon dioxide fire extinguisher installed 
Smoke/heat detectors installed 

Functioning fire alarm system 

Emergency exits clearly marked 

Other: 


mS Ges se 
~ Mm 
ee eee ee ee ee ee ee ee” 


Assessment of Risk: 
(>) erie ( ) Moderate (X) Low 


ee ce es ec sce In existence 
|.  —-_- o Ppeeerrrr---- Being developed 
------- Required but no action taken 
| -- Not required 
) ( ) ( ) Security Operating Procedures Handbook 
) ( ) ( ) Line diagrams showing interconnection 
of components and physical layout 
) (%) €() ¢ ) BD@SEGriperen see countermeasures in 
place 
) C7) () ( ) Copies of previous accreditation or 
interim authority to operate 
) TEMPEST accreditation request 
) TEMPEST accreditation test results 
) Physical accreditation (for SCI data 
only) 
) ST&E Test Plan 
) Contingency Plan 
) Contingency Plan test results 


~———” 
—-~ 
— 
Ger 
a” 
~~ ——~ 


~— 
—~, 
— 
G-~-_~— 
~— 
Ga 
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( ) () Formal Risk Assessment 
(3) ( ) ( ) Other (specify): 
SeecrtrON IV. Survey Data. 

is Current Status: 


( ) Operating under accreditation for processing 





Level data in security mode 
of operation. Accreditation granted by 
Dated : (Attach a copy of statement of 
accreditation.) 

( ) Operating under interim authority Lor 
processing Level data in 
security mode of operation. Interim authority 
granted by . Dated . Expires 


(Attach a copy of interim authority 
to operate.) 


rs Survey Prepared By: 
Name: Code: 
Racy Room: Phone: 


To the best of my knowledge, the information provided in 
this survey and the attached documentation is complete and 
meouracte. 

Signature Date 


6. Vulnerability: Unauthorized Physical Access. 


Operating Countermeasures: (Check all that apply.) 


(X) Perimeter fence (access to quarterdeck 
controlled) 

(X) Security guards (petty officer of the watch 
armed) 

(X) Building secured outside of normal working 
hours 

( ) Area alarms (motion detectors, open door 


detectors, perimeter penetration detectors) 
Authorized access list 

Cypher door lock 

Combination door lock 

Recognition of authorized personnel 

Closed circuit television 

Administrative procedures 

Physical isolation/protection 

High employee morale 


oS 


—_—_«_ ams ims issn ims™=sc ms! 
See ee ee ee ee ee eee eee” 
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( ) Close supervision of employees 

(X) Indoetranativen Of personnel eh securltey 
' awareness 

( ) Other: 


ASSessment none k loi 


(>) Hien ( ) Moderate ( ) Low 
SECGREON: ~ Tite: Current status. of accreditation support 
documentation. (Applies to all ADP activities and networks 


which will be authorized to handle Level I or Devel 
data.) 


1. All ADP activities and networks which will be 
authorized to handle Level I or II data must either be 
accredited or be granted interim authority to operate 
pending accreditation. Accreditation is based on supporting 


documentation including a risk assessment. This section 
provides a statement of the current status of the 
accreditation support documentation. (Check all that 
apply.) 
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APPENDIX B 


KiLoMenoOboOwMONa, METHOD IT 


Completing the Risk Assessment Matrix and the Additional 
Countermeasures Selection Worksheet satisfies the require- 
ments for Method II. Risk Assessment Matrix #1 is provided 
eo illustrate how easily large sums of money can be 
justified. In this case $377,025 is the TOTAL ALE. 

However, TEMPEST certification eliminates the 
Eavesdropping threat and a training program encompassing 
system use and administrative procedures will substantially 
reduce the unintentional operator error, unintentional 
disclosure, and unintentional data entry error threats. 

Only those countermeasures not already a part of the 
eyecem are included in the calculations. Risk Assessment 
Matrix #2 indicates the threats which have not yet been 
countered and the Additional Countermeasures Selection 


Worksheet indicates the appropriate countermeasures. 
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APPENDIX C 


DEVELOPMENT, CONDUCT AND REPORTING OF SECURITY 
TEST AND EVALUATIONS 


1. PURPOSE. 


1.1. For ST&Es that are preceded by Method I risk assessments, 
the checklist (Appendix C) will be used to aid i1in_ the 
identification of countermeaSurers and vulnerabilities required 
for completion of Appendix A. 


1.2. For ST&Es that are preceded by a Method II risk assessment, 
the checklist will be used to obtain the data required for the 
DAAS to assure the system iS operating within an acceptable level 
of risk. 7 


2. ORGANIZATION. 
Me The checklist iss divided inte 2 sections: Section I 
contains general activity-wide questions; Section II cortains 


system-specific questions. 


2.2. Each question has three possible anSwers: yes, no, and not 


applicable (N/A). 'Yes' means the requirements addressed in the 
question have affirmatively been met. ‘'No' means that some level 
of risk exists. "'N/A' means that the subject matter addressed 


does not apply to the system being evaluated. A line of comments 
has been provided after each question for further explanations as 
required. 


3. PROCEDURES. 

3.1. For ST&Es preceded by Method I risk assessments, complete 
the checklist and use the results in conjunction with the risk 
assessment to aid in the identification of vulnerabilities and 
countermeasures in Appendix A. 


3.2. For ST&ES prceded by Method II risk assessments, complete 
the checklist and use the results to develop an ST&E report for 
Submission to the DAA. Ensure the report addressess all 
questions answered with a "NO." 


nS 


re a rr ee CE re IE Gee PGRN + eng oe pes 


SECTION I 


ACTIVITY 


Has an ADP Security Program been established? 


Comments: 





Has an Activity ADP Security Plan (AADPSP) 
been developed? 


Comments: 
Has the AADPSP been approved by the Naval Data 
Automation Command (NAVDAC) Code 51? 


Comments: 


Has the Designated Approving Authority granted 
aGtivity accred) tation. 


Comments: 


Is the AADPSP updated as Changes occur? 
Comments: 
Is there evidence that top-level management 


Supports the ADP Security program through 
Such requirements as security awareness 


training, documented security procedures, etc.? 


Comments: 


Is the ADP security starf sufficient to support 


tae AD? Security Progran? 


C oMmMer cS: 


- ee a ee 
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YES NO 


10. 


i. 


i. 


YES NO N/A 


Has an ADP Security Officer (ADPSO) been 
appointed in writing by the Commanding Officer? 


Comments: 
Does the ADPSO have a strong technical back- 
qround and experience in the administration of 


mDP systems? 


Comments: 


Has the ADPSO received training on OPNAVINST 


oo. LA? 

Comments: 

Have the duties and responsibilities of the 

ADPSO been defined in writing? 

Comments: 

Do the duties and responsibilities of the 

ADPSO include: 

a. Coordinating with the command security 
manager on matters concerning ADP 
security, in accordance with the security 
Organizational structure established by 


the Commanding Officer? 


Comments: 





b. Developing and maintaining an ADP Security 
Plan (ADPSP) ? 


Comments: 





Cc. EnSuring that a Network Security Officer 
(NSO) is appointed for networks which 
are sponsored by the activity? 


Comments: 








YES° NO WN/A 
gd. Ensuring that ADP System Security 
Officers (ADPSSOs) are appointed in 
writing where applicable? 


Comments: 





é€. Ensuring that Terminal Area Security 
Officers (TASOs) are appointed where 
applicable for each remote facility? 


Comments: 


f. Ensuring that an effective activity Risk 
Management Program iS implemented? . 


Comments: 


g. Ensuring that all ADP security incidents 
Or violations are investigated, documented 
and reported to appropriate authorities? 


Comments: 


he. Ensuring that security requirements are 
included in life cycle management docu- 
mentation aS prescribed in SECNAV 
Instructions 5000714 on 52313 aeas 
appropriate? 


Comments: 


i. Ensuring that all procurement documents 
Or specifications approved within the 
activity comply with ADP security 
requirements? 


Comments: 
j}. Ensuring the contracts (DD FoOrtme254) same uac 
Statement(s) ensuring contractor compliance 


with Navy ADP Security requirements? 


Comments: 
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PS. 


» 


YES NO N 


k. Ensuring the development and testing 
Ctedeeeooncingency spLansa. 


Comments: 








1. Ensuring the NAVAUDSVC is advised 
of the development of an ADP system, 
aS applicable? 


Comments: 





m. Ensuring that accreditation documentation 
is developed and maintained? 


Comments: 

n. Assisting the ADP security staff in 
implementing their respective ADP security 
requirements? 

Comments: 

Oo. EnSuring that applicable personnel security 
procedures are established? is Be 

Comments: 

p. EnSuring that Security Test and Evaluations 
(ST&Es) are conducted where applicable? 

If this activity sponsors a network: 


a. Has a Network Security Officer (NSO) 
been appointed in writing? 


Comments: 
b. Have the duties and responsibilities 
CeweiemnoOmocen Cekined sin writing? 


Comments: 





ee es en ae Gee | ee mee 


dAn 


iD: 


c. Do the duties and responsibilities 
of the NSO include: 


(1) @Ensuring that countermeasure. 
and security requirements are 
in the network design and that 
individual nodes of the network 
comply with these countermeasures 
and requirements, prior to inter- 
facing with the network? 


Comments: 





(2) Ensuring that security measures 
and procedures used at network nodes 
fully support the security integrity 
of the network? 
Comments: 
(3) Maintaining liaison with all 
ADPSSOs in the network? 
Comments: 
(4) Ensuring that all required | 
countermeasuers are utilized? 
Comments: 


Are all ADP security violation/incidents reported 
to the ADPSO? 


Comments: 


Do newly assigned ADP personnel receive briefings on: 
a. ADP security procedures of the activity 


Comments: ~ 





b. Marking, handling and accountability of 
classified ADP information? 
Comments: 


8 0 


Gs Mazking, handling and accountability 
of ADP sensitive, unclassified 
information? 


Comments: 


d. ADP emergency procedures? 


Comments: 


ol: 


SECTION II 
SYSTEM 
NAME OF SYSTEM: 


TYPE OF SYSTEM 


Office Information System (OIS) 


a. Has an Office Information System 
Security Officer (OISSO) been 
appointed in writing? 


Comments: 
b. Have the duties and responsibilities 
£ the OISSO been Gefined in writing 
by the ADPSO? 


Comments: 


c. Do the duties and responsibilities 
of the OISSO include: 


Comments: 


(1) Being. the focal pointe er sam: 
security matters for the OIS 
systems assigned? 


Comments: 


(2) Executing the ADP Security 
Program as it applies to 
the assigned OIS systems 
including preparing and 
supporting the accreditation 
Support documentation? 


Comments: 
(3) Maintaining an inventory of all OIS 
hardware, system software and major 


functional appplication systems? 


Comments: 
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LES 


(4) Monitoring system activity (e.g., 
identification of the levels and 
types of data handled by the OIS 
systems, asSignment of passwords, 
review of audit trails, etc.) to 
ensure compliance with security 
directives and procedures? 


Comments: 


(5) Maintaining liaison with remote 
facilities served by the OIS systems 
to ensure compliance with applicable 
security requirements? 


Comments: 

(6) Conducting and documenting risk 
assessments for the assigned 
OIS systems? 

Comments: 

(7) Supervising, testing and monitoring, 
aS appropriate, changes in the OIS 
system affecting the ADP activity 
posture? 

Comments: 

(8) Implementing appropriate counter- 
measures required by directive or 
determined cost effective? 

Comments: 

(9) Assisting the ADPSO in implementing 

a comprehensive Activity ADP 


Security Program? 


Comments: 


Yoo 


(10) Developing and testing annual contingency 


Plans for the assigned OIS systems? 


Comments: 


SS 


(11) Monitoring OIS procurements 
for security impact to ensure 
compliance with security 
regulations and known security 
reguirements for the assigned 
OIS systems? 


Comments: 
d. If the OIS system has remote terminals: 


(1) Have TASOs been appointed? 


Comments: 
(2) Have the duties and responsibilities 
of the TASOs been defined in writing? 
Comments: 
(3) Do the duties and responsibilities 

of the TASO include: 

(a) Serving as a single point of 
contact at his terminal area 
for the OISSO? 

Comments: 

(b) Implementing and enforcing 
all security requirements 
established by the OISSO for 
remote terminal areas? 

Comments: 

(Cc) Ensuring all countermeasures 
for remote terminal areas 
are in place? 

Comments: 

(d) Developing terminal security 

procedures for OISSO approval? 
Comments: 


8 4 


Comments: 


Comments: 


Comments: 


(4) 


Comments: 


ADP System 


a. Has an ADP System Security Officer (ADPSSO) 


(e) 


(£) 


(g) 


Have security requirements been agreed 


Maintaining a current access 
list of remote devices? 


Reporting security abnormal- 
ities to the OISSO or his 
designated representative? 


Returning to the OISSO products 
that cannot be identified or 
which contain extraneous data? 


to in writing between the host Site and 
remote device sites? 


been appointed in writing? 


Comments: 


b. Have the duties and responsibilities of the 


ADPSSO been defined in writing? 


Comments: 


c. Do the duties and responsibilities of 
the ADPSSO include: 


(1) 


Comments: 


Being the focal point for all security 
matters for the ADP systems assigned? 
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YES 
(2) Executingithe ADP lSeceumma, 
Program as it applies to the 
assigned ADP systems including 
preparing and supporting the 
accreditation Support docu- 
mentation? 


Comments: 


(3) Maintaining an inventory of all 
hardware, system software and 
major functional application 
systems? 


Comments: 


(4) Monitoring system activity (e.g., 
identification of the levels and 
types of data handled by the ADP 
Systems, assignment of passwords, 
review of audit trazls ete eco 
ensure compliance with security 
directives and procedures? 


Comments: 


(5S) Maintaining liaison with remote 
facilities served by the ADP 
systems to ensure compliance 
with applicable security re- 
quirements? 


Comments: 


(6) Maintaining liaison with remote 
facilities served by the ADP 
System to ensure that a terminal 
area security officer (TASO) is 
designated by the served activity 
where applicable? 


Comments: 
(7) Conducting and documenting risk 
assessments for the assigned ADP 
systems? 


Comments: 
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(8) Supervising, testing and mon- 
itoring, aS appropriate, changes 
in the ADP system affecting the 
ADP activity posture? 


Comments: 


(9) Implementing appropriate coun- 
termeaSures required by directive 
Or determined cost effective? 


Comments: 


(10) Assisting the ADPSO in imple- 
menting a comprehenSive Activity 
ADP Security Program? 


Comments: 


(ll) Developing and testing annual 
contingency plans for the asSigned 
ADP systems? 


Comments: 


(12) Monitoring ADP procurements for 
security impact to ensure compliance 
with security regulations and known 
security requirements for the assigned 
ADP systems? 


Comments: 
d. If the ADP system is a node of a network: 
(1) Have security requirements been agreed 
to in writing by the network DAA and 
the ADP facility DAA of the network? 


Comments: 


> 





(2) Has an ADPSO been appointed in writing 
for the node? 


Comments: 





Yeo 


e. If the ADP system has remote terminals: 


(1) 


Comments: 


(2) 


Comments: 


(3) 


Comments: 


Comments: 


Comments: 


Comments: 


Comments: 


Comments: 


Have Terminal Area Security Officers 


(TASOS) been appointed? 


Have the duties and responsibilities 


of the TASOs been defined in writing? 


Do the duties and responsibilities of 
the TASOUnelugde: 


(a) 


(d) 


(ie) 


Serving aS a Single point of con- 
tact at his terminal area for the 
ADPSSO? 


Implementing and enforcing all secu- 
rity requirements established by 

the ADPSSO for remote terminal 
areas? | 


Ensuring all countermeasures for 
remote terminal areas are in- 
place? 


Developing terminal security pro- 
cedures for ADPSSO approval? 


Maintaining a current access list 
of remote devices? 


Reporting security abnormalities 
to the ADPSSO or his designated 
representive? 


8 


Comments: 


(4) 


Comments: 


(g) Returning to the ADPSSO ADP prod- 
ucts that cannot be identifiied or 
which contain extraneous data? 


Have security requirements been agreed 
to in writing between the host site 
and remote device sites? 
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Na EP RS Rr UrEP cara flare g 


SYSTEM ACCREDITATION YES NO 


l. Is this system accounted for on the ADPSO's 
inventory? 


Comments: 


2. HaS a survey (Figure E-l in OPNAVINST 5239.1A) 
been completed on this system? 


Comments: 


3. Have security operating procedures been 
developed for this system? 


Comments: 


4. Has the DAA determined if a risk assessment 
1S required? 


Comments: 
5. If a risk assessment 1s required: 

a. Has the risk assessment been performed? 
Comments: 


b. Do the ADPSO and ADPSSO maintain a 
copy of the risk assessment? 


Comments: 


c. Is the risk assessment kept updated and 
repeated: 


(1) At least every 5 years? 
Comments: 

(2) When any change 1S made to the 
facility, ADP equipment, system 
software or application software 
which effects the overall ADP 
security posture? 


Comments: 
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0. 


YES NO N/A 


(3) When any change is made in 
Operational configuration, 
data Sensitivity, or class- 
ification level? 


Comments: 





(4) When any change is made which 
appears to invalidate the 
Original conditions of accred- 
BeatLon: 


Comments: 


Has a Security Test and Evaluation (ST&E) been 
prepared (only for systems processing Level I 


Or II data) which is sufficiently comprehensive 


to ensure thorough examination and exercising of 
the system's security control features and pro- 
cedures and/or in combination, to determine 
their effectiveness and reliability? 


Comments: 

Has an ST&E been performed to determine the 
effectiveness of countermeaSures employed in 
maintaining the security of the system at an 
acceptable level of risk? 


Comments: 


Do the ADPSO and ADPSSO maintain a copy of 
the ST&E plan and results? 


Comments: 


Is a contingency plan for this system in 
existence? 


Comments: 


Does the contingency plan, at a minimun, 
address: 


a. The actions required to minimize the impact 
eae tOod, sGlvyil disorder, natural 
disaster, or bomb threat? 


Comments: 





2) Al 


Dales 


Ze 


eS. 


2eo 


b. Backup procedures to conduct essential ADP 
Operational tasks after a disruption to 
the primary ADP facility? 


Comments: 


c. Recovery procedures to permit rapid restora- 
tion of the ADP facility following physical 
destruction, major damage or loss of data? 


Comments: 
Does the contingency operations plan provide for: 


a. Local storage of tapes and punched cards 
in the central computer facility in metal 
Or other fire retardant cabinets? 


Comments: 


b. Duplicate system tapes, startup decks, data 
base save tapes, and site-unigue application 
program card files or tapes to be maintained 
in a secure location removed from the central 
computer facility? an 


Comments: 


c. Identification of an alternate Site con- 
taining compatible equipment? 


Comments: 

qd. Destruction or safeguarding of classified 
material in the central computer facility 
in the event that the facility must be 
evacuated? 


Comments: 


NO 





Has the contingency plan been tested during the 
past year? 


Comments: 





Do the ADPSO and ADPSSO maintain a copy of the 
Contingency Plan? 


Comments: 


nN @ WROTE YEE ty 
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14. Do the ADPSO and ADPSSO maintain a copy of the 
Contingency Plan Test and Evaluation Report? 


Comments: 


9.3 


HUMAN RESOURCES SECURITY 


1. Do all personnel having unescorted 
access to the system possess a 
clearance and a need-to-know equal 
to or higher than the highest class- 
ification and all categories of data 
being processed? 


Comments: 

2. Is an access roster maintained at each 
entry point to the central computer 
facility and remote terminal area? 

Comments: 

3. Are escort procedures established for 
controlling visitors to the central 
computer facility and remote terminal 
areas? 


Comments: 


a. Are all potential escorts properly 
briefed on their responsibilities? 


Comments: 


b. IS a record of all visitors 
Maintained for 12 months? 


Comments: 

4. During operational hours is the central 
computer facility manned by at least 
two cleared personnel? 

Comments: 

5. Are all unescorted maintenance personnel 
cleared for the highest level and all 
restrictive categories of classified 


information in the system? 


Comments: 


6. Are escorts provided for maintenance per- 
sonnel who are not appropriately cleared? 


Comments: 

7. Are escorts technically competent to 
review the maintenance work performed? 

Comments: 

8. Are procedures to delete and add per- 
sonnel to access lists implemented, in- 
cluding the notification of all concerned 


ADP security officials? 


Comments: 


a5 


Po eS et eR ents Ae gt 


YES NO 


PHYSICAL SECURIEY 


1. Does the computer facility meet the 
following requirements? 


a. Is the system operated within 
the manufacturer's optimum 
temperature and humidity range 
Specifications? 

Comments: 


b. Are environmental systems dedicated 
to the computer facility? 


Comments: 


c. Are environmental controls regulated 
by key designated personnel only? 


Comments: 

d. Is a temperature/humidity recording 
instrument inStalled to menitec: 
the system area? 

Comments: 

(1) Is the temperature/humidity 
instrument connected to an 
alarm to warn of near-limit 
COnaLtei1ons? 

Comments: 

e. Is there adequate lighting? 
Comments: 

f. Is there emergency lighting? 


Comments: 


g. Are periodic checks made of the 
emergency lightumng, 


Comments: 


96 


lis 
Comments: 


ie 


Comments: 
as 
Comments: 


ne 


Comments: 


tes 


Comments: 


Mm. 


Comments: 


n. 


Comments: 
oe 

Comments: 
p. 


Comments: 


q. 


Comments: 


-— ee ew ee 


YES NO 


5 


Is electrical power reliable? 





Are there voltage regulators or 
other electronic devices to pre- 
vent seriouS power fluctuations? 





Is there an uninterruptible power 
Source for the facility? 





Are cleaning procedures and schedules 
established and adhered to? 


Is an ADP representative present 
during cleaning operations? 


Is the facility overhead free of 
Steam and water pipes? 


Are plastic sheets available to pro- 
tect the system from water damage? 


Is there a facility fire bill? 


P 


Are emergency exits clearly marked? 


Do employees receive periodic 
training in the following areas: 


(1) Power shut down and start 
up procedures? 





YEo 
(2) Operation of emergency power? 
| Comments: 
| (3) Operation of fire detec- 
| tion and alarm system? 
Comments: 
(4) Operation of fire sup- 
pression equipment? 
Comments: 
(5) Building evacuation procedures? 
Comments: 

ae Is there a master power switch to 

all ADP equipment? 
Comments: 

S. Is the master power Switch located 
near the main entrance of the ADP 
area? 

Comments: 

ee Is the master power switch adequately 
labeled to prevent accidental shut 
Ott a 

Comments:. 

i If the system processes critical appli- 
cations, 1S there a sequential shut 
down routine? 

Comments: 

Ver Is there a sufficient number of 

portable fire extinguishers? 
Comments: 
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Comments: 


Xe 


Comments: 


ve 


Comments: 


Ze 


Comments: 


aa. 


Comments: 


bb. 


Comments: 


CC. 


Comments: 


dd. 


Comments: 


ee 


Momtnese a central Lire SUDpresslon 
system? 


Is there automatic smoke/fire 
detection equipment? 


Does the smoke/fire detection equip- 
ment activate an alarm at the near- 
est fire station? 


Are there warning signs posted out- 
Side tape vaults and other magnetic 
Storage areas to warn fire fighters 
of toxic fumes? 


If the facility does not operate 
24-hours, 1s there a guard force 
employed after hours and on week- 
ends? 


Is the guard force briefed on 
emergency procedures? 


Is the guard force provided 
with an emergency recall bill? 


Are physical access controls imple- 
mented to prevent unauthorized entry 
into the computer facilities and 
remote terminal areas? 


oo 


mes 





ee. 


Comments: 


EL. 


Comments: 


Are visitor control procedures 
in place? 


Are positive personnel identification 
measures (e.g., badge system, finger- 
prints) in place? 
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YES 


COMMUNICATIONS SECURITY 


1. Do all communications links between remote 
terminal areas and the central computer 
facility meet the requirements for the 
transmission of the highest classification 
and for all categories of data which are 
contained in the system? 


Comments: 


2. Are all remote terminals uniquely identified 
when accessing the host? 


Comments: 

3. Are all dial-up terminals disabled from 
connection to the central computer facil- 
ity during classified processing 
periods? 


Comments: 


} eo 


[SSS ee 


G. EMANATIONS SECURITY 


l. If the ADP system processes Level I data: 


a. 


Die 


Comments: 


Comments: 


Ce 


Comments: 


| 
| Comments: 
| 


Has a TEMPEST vulnerability 
assessment been requested? 


Has a TEMPEST vulnerability 
assessment been performed? 


(1) Does it represent the current 
equipment configuration? 


Are all changes, repairs, and modi- 
Fications to TEMPEST certified ADPE 
controlled so that equipment emana- 
tl1on characteristics are not 
altered? 


| 102 


YES 


HARDWARE SECURITY 


1. Is the site SOP manual used for configu- 
ring system hardware? 


Comments: 


2. Are switch settings for each hardware unit 
specified for each system? 


Comments: 


3. Are scheduled maintenance activities mon- 
itored to ensSure proper reliability and 
performance? 

Comments: 


4. Are periods of down time verified? 


Comments: 
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SOFTWARE SoLGURITT Y 


J}. Is the authenticity of the eee awe 
system or executive software verified 
by comparing the registry or shipment 
number of. the software package with 
that contained in record communications 
from the Originaceme 


Comments: 

2. Prior to operational use of any new 
System release, does the ADPOS@scconduc. 
sufficient testing to verify that 
the system meets the documented and 
approved security specifications? 

Comments: 

3. Are testing and debugging of new releases 
performed during dedicated time in a 
controlled environment? 


Comments: 


4. Are all site-unique patches tested by 
System software personnel? 


Comments: 


5. Is a log of all system patches main- 
tained and monitored by the ADPSSO? 


Comments: 

6. Are all modifications to the operating 
system cross-checked by two appropriately 
cleared operating system programmers? 


Comments: 


7. Are startup procedures executed as 
described in the site SOP manual? 


Comments: 
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YES 


8. Are system tapes identified in a unique 
manner to distinguish them from 
non-system tapes? 


Comments: 


9. Are system tapes protected to the 
highest classification and for all 
restrictive categories of data which the 
central system is processing or storing 
online? 


Comments: 


10. Has a method to control access to system 
tapes or disks been developed and approved 
by the ADPSSO? 


Comments: 


ll. Is the ADPSSO informed of all unauthor- 
ized requests for system tape access? 


Comments: 


12. Are system module source listings made 


available to site personnel only on a 


need-to-know basis and are the listings 
physically protected as FOUO? 


Comments: 


13. Has each individual uSer been assigned a 
unique user identification and password 


which has been randomly, machine generated? 


Comments: 


14. Is a password changed: 


Ae 


Comments: 


Whenever an individual knowing 
log-on password is transferred, 


a 
dis- 


charged, reasSigned or the individual's 


Security clearance is reduced, 
Or removed by proper authority? 


seks 


suspended, 





YES 
re Whenever a password or record of pass- 
word has been compromised, or is 
Suspected of being compromised? 


Comments: 


Comments: 
15. Is removable media controlled at the highest 


ole At least annually? 
| 
level of data processed and reStricted to 
uSers cleared for that level? 
| Comments: 


16. When no longer needed, are data purged 
or declassified? 


Comments: 


17. Does an audit record identify the reason 
for system shutdown or crash? 


Comments: 


18. Are system dumps taken following a 
System crash? 


Comments: 


19. Are system dumps reviewed by the ADPSSO 
Or site analyst? 


Comments: 


20. Is all memory purged between periods 
processing? 


Comments: 

21. Are security specifications coordinated by 
Site management prior to approval of appli- 
cation software development and main- 
tenance? 


Comments: 
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— me ee ae oe 


TES 


22. Are application software design reviews con- 
Gucted, documented, and maintained as official 
records of the site? 


Comments: 


23. Are system tests of new application 
releases conducted? 


Comments: 
24. If operational user files are required 
for testing, are only copies of the 


files used? 


Comments: 


An 


YES NO N/A 


ADMINISTRATIVE SECURITY 


l. Are effective procedures for limiting 
access to the system and its data estab- 
lished and implemented? 


Comments: 
2. Does the ADPSSO maintain a current roster 
of all personnel authorized access to the 


System? 


Comments: 





3. Does the ADPSSO control the distribution of 
passwords? 


Comments: 


4. Are log-on passwords for unclassified systems 
marked For Official Use Only (FOUOQ) ? 


Comments: 


5. Are working papers containing classified 
information marked with: 


a. Date of creation? 
Comments: 
De Highest classification of anmweintor— 


mation contained in the product? 
Comments: 
6. Are printed listings containing classified 


information marked with the security classi- 
fication on the top and bottom of each 


page? 

Comments: 

7. Are microfilm and microfiche conspicuously 
marked on the microform media or its 
container with the overall security classi- 
fication so as to be readable with unaided eye? 


Comments: 
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8. Are all ADP storage devices externally 
marked with: 


Ae 


Comments: 


i 


Comments: 


C. 


Comments: 


The overall security classification? 


Special access restrictions? 


A permanently assigned identi- 
Ficatton/eontrol number? 


9. Do magnetic tapes have a gummed label 
affixed containing: 


Aa. 
Comments: 
b. 


Comments: 


Tape classification/declassification? 


Tape identification control number? 


10. Are removable disk packs marked with the 


same 


information required for magnetic 


tapes? 


Comments: 


ll. Are customers responsible for reviewing 
and verifying the actual classification of 
the product? 


Comments: 


12. Are effective procedures for protecting 
personal and other unclassified sensitive 


data 
Comments: 


13. Have 
COLE VY 


established and implemented? 


YES 





a 


procedures for maintaining an inven- 
of all removable magnetic storage 


devices been eStablished? 


Comments: 





G9 


14. Is the inventory listing for devices 
classified TOP SECRET or special 
category verified at least semiannually? 


Comments: 





15. Is the inventory listing for devices 
classified SECRET and below verified at 
least annually? 

Comments: 

16. Is magnetic storage media being declass- 
ified and disposed of as required by 
Appendix C of OPNAVINST 5239.1A? 

Comments: 

17. Are security incidents investigated to 
determine their cause, and where possible, 
the corrective action to be taken? 


Comments: 


18. Are ADP security incidents fully docu- 
mented and properly reported? 


Comments: 
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APPENDIX.) 


CONTINGENCY DATA FORM 


System Identification 

Code/Location 

ADPSSO 

Key User 

Alternate System Location 

Service Contract Identification 
Location of Data/Software Diskettes 
Location of Diskette Backups 


Location of Supplies (i.e, ribbons, 


printwheels, etc.) 


List of Authorized Users 


ik 


APPENDIX E 


THE NELSON/DOD MODEL DIAGRAM 


The Nelson/DOD model diagram is intended to be used in 


CONJUNCCION Wien Chasvere yi- 
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\4 
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Requiresent 
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Riek Indeg 
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Is Punding. 
Available ‘had. NO 


le The OA 
nr ae ent eens 4 = re — To Obligate 
ee inde 


N\A 


Yes 


Continue Using The 
Manual Systea 


BePENDEX 


RISK INDEX 


The evaluation class appropriate for a system is 
Gependent on the level of security risk inherent to that 
system. This risk is referred to as that system's risk 
index. Risk index is defined as the disparity between the 
maximum clearance of the least cleared system users and the 
maximum sensitivity of data processed by a system (CSC-STD- 
003-85). 

The Computer Security Requirements are based upon this 
risk index. Although there are other factors that can 
influence security risk, such as_ mission criticality, 
required denial of service protection, and threat severity, 
only the risk index is used to determine the minimum class 
of trusted computer systemt to be employed, since it can be 
uniformly applied in the determination of security risk. 
The risk index for a system depends on the rating associated 
Mien the system's minimum user clearance (Rpi,) taken from 
Table 1 and the rating associated with the system's maximum 


@ata Sensitivity (Rpay) taken from Table 2. 


1a system that employs sufficient hardware and software 
integrity measures to allow its use for processing 
Simultaneously a range of sensitive er classified 
information. 


eS 


The risk index is computed as follows: 
Case a. If Ryin 18 less than Rpay, then the risk index is 


determined by subtracting Roem Raave 
Case b. If Ryin 18 Greater than or equal to Rypay, them: 


Risk Index = 1, if there are categories on the system 
to which some users are not authorized 
access; 


= 0, otherwise (i.e., if there are no cate- 
gories on the system or if all users 
are authorized access to all 
categories). 


“There is one anomalous case in which this formula 
gives an incorrect result. This is the case where the 
maximum data sensitivity is Top Secret/Background Investiga- 
tion and the maximum data sensitivity is Top Secret. 


According to the formula, this gives a risk index of 1. In 
actuality, the risk index in this case is zero. The anomaly 
results because there are two "levels" of Top Secret 


clearance and only one level of Top Secret data. 


ine 


ie ate ee 


MOviwedemest CCRT YOU wENITS FOR OPEN SECURITY 
ENVIRONMENTS 


ISK INDEX See aa 0 ae linia ct taamaee 





Dedicated No Prescrived 
Minimum¢ 
Limited Access. Controlied, Bl4 
Compartmentec. Muitilevel 
Limited Access, Controlted, 2 
Compartmented. Multilevel 


Multiievel 





Multitevel : 


IThe asterisk (*) indicates that computer protection for environments with that 
risk index are considered to be beyond the state of current technology. Such 
environments must augment technical protection with personnel or 
administrative security safeguards. 


ZAlthough there is no prescribed minimum, the integrity and denial of service 
requirements of many systems warrantat least class Cl protection. 


3If the system processes sensitive or classified data, at least a class C2 svstem is 
required. If tne system does not process sensitive or classified data, a class Cl 
system is sufficient. 


4Where a system processes classified or compartmented data and some users do not 


have at least a Confidential clearance, or when there are more than two types of 
compartmented information being processed, at least a class B2 system is required. 


ee 


AT Ee 


COMPUTFER SECURITY REQUIREMENTS FOR ChOSED ShiG tie 
ENV IRONATENTS 


SECURITY OPE RSWIN MINIMGAPCRIBG ee 





RUSK INDEX MODE CLASS! 
Dedicated NO Prescriped 
AIinimuUm. 
Q) Svsterm, mae Cis 


Limited Access. Controlled, 
Compartmented. Multilevel 


Limited Access. Controlied, 
Compartmented, Multilevel 


“ | \iultilevel | B3 
o Multivevel | I 
6 Multievel ; 





IThe asterisk (*) indicates that computer protection for environments with that 
risk index are considered to be beyond tne state of current technology. Such 
environments must augment technical protection with physical, personnel, 
andor uamuinistrative sateguards. 


“Although there is no prescribed minimum, the integrity and denial of service 
requirements of many systems warrant at least class C1 protection. 


3If the system processes sensitive or classified data, at least a class C2 system 1s 
required. If the system does not process sensitive or classified data, a ciass Cl 
system 1s sufficient. 


4Where a system processes classified or compartmented data and some users do 
not have at least a Confidential clearance, at least a class B2 system is required. 


eke 
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APPENDIX G 
hoe oh VALOA hE PRODUCES LISTS FOR 
TR@S LESS COMPUPER®SYSTEMS 

The Department of Defense Computer Security Center 
(DoDCSC) was established in January 1981. The primary goal 
of the DoDCSC is to encourage the widespread availability of 
trusted computer systems, systems that employ sufficient 
hardware and software integrity measures to be used for 
simultaneously processing a range of sensitive or classified 
information (CSC-STD-001-83). 

The primary means by which this goal is achieved is 
through the DoDCSC's Commercial Product Evaluation Program. 
This program is focused on the technical evaluation of the 
protection capabilities of off-the-shelf commercially 
produced and supported systems that meet the computer 
security needs of government departments and agencies. 
Product evaluation results are published in an Evaluated 
Products List (EPL) which is independent of any considera- 
tion of overall system performance, potential applications 
or particular processing environment. The EPL provides an 
authoritative evaluation of a system's relative suitability 
for use in processing sensitive information. 


The DoD Trusted Computer System Evaluation Criteria is 


the standard against which products are evaluated. The 
"Criteria" are divided into four divisions: D (minimal pro- 
meec10On), E (discretionary protection), B (mandatory 


IES, 


protection), and A (verified protection), ordered in a 
hierarchal manner with the highest division (A) being 
reserved for systems providing the most comprehensive 
security. 

Each division represents a major improvement in the 
overall confidence one can place in the system for the 
protection of sensitive information. These divisions are 
based on features and assurances to support three types of 
security requirements: policy, accountaba lites and 
assurance. 

Generally speaking, secure systems use specific security 
features to control access to information such that only 
properly authorized individuals, or processes operating in 
their behalf, will have read or write access capabilities. 
Six fundamental requirements are necessary to support this 


objective: 
Policy 


Requirement 1--SECURITY POLICY--there must be an explicit 
and well-defined security policy enforced by the 
system. 


Requirement 2--MARKING--Access control labels must _ be 
associated with objects. 


lan object is a passive entity that contains or 


receives information. Access to an object potentially 
implies access to the information it contains. Examples of 
objects are: records, blocks, pages, segments, files, 


directories, directory trees, and programs. 


2 


Accountability 
‘Requirement 3--IDENTIFICATION--Individual veces must be 
identified. 
Requirement 4--ACCOUNTABILITY--Audit information must _ be 
selectively kept and protected so that actions 


affecting security can be traced to the responsible 
Dawey. 


Assurance 


Requirement 5--ASSURANCE--The computer system must contain 
hardware/software mechanisms that can be indepen- 
dently evaluated to provide sufficient assurance 
that the system enforces requirements 1 through 4 
above. 

Requirement 6--CONTINUOUS PROTECTION--The trusted mechanisms 
that enforce these basic requirements must be 
continuously protected against tampering and/or 
unauthorized changes. 

The products on the EPL have been evaluated against the 
Criteria and assigned an Overall Evaluation Class rating. 
The security evaluation of a product is contained in a 
formal report (NTIS). The Overall Evaluation Class (product 
rating) in the EPL is the highest class for which the 


evidence for the product demonstrates that all the require- 


Memisein the Criteria have been met. 
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